├── .github └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── aws-config-conformance-packs ├── AWS-Control-Tower-Detective-Guardrails.yaml ├── Operational-Best-Practices-For-NIST-800-181.yaml ├── Operational-Best-Practices-For-Networking-and-Content-Delivery-Services.yaml ├── Operational-Best-Practices-For-Security-Identity-and-Compliance-Services.yaml ├── Operational-Best-Practices-for-ABS-CCIGv2-Material-Part-1.yaml ├── Operational-Best-Practices-for-ABS-CCIGv2-Material-Part-2.yaml ├── Operational-Best-Practices-for-ABS-CCIGv2-Material.yaml ├── Operational-Best-Practices-for-ABS-CCIGv2-Standard.yaml ├── Operational-Best-Practices-for-ACSC-Essential8.yaml ├── Operational-Best-Practices-for-ACSC-ISM.yaml ├── Operational-Best-Practices-for-AI-and-ML.yaml ├── Operational-Best-Practices-for-API-Gateway.yaml ├── Operational-Best-Practices-for-APRA-CPG-234.yaml ├── Operational-Best-Practices-for-AWS-Backup.yaml ├── Operational-Best-Practices-for-AWS-Identity-and-Access-Management.yaml ├── Operational-Best-Practices-for-AWS-Well-Architected-Reliability-Pillar.yaml ├── Operational-Best-Practices-for-AWS-Well-Architected-Security-Pillar.yaml ├── Operational-Best-Practices-for-Amazon-DynamoDB-with-Remediation.yaml ├── Operational-Best-Practices-for-Amazon-DynamoDB.yaml ├── Operational-Best-Practices-for-Amazon-S3-with-Remediation.yaml ├── Operational-Best-Practices-for-Amazon-S3.yaml ├── Operational-Best-Practices-for-Asset-Management.yaml ├── Operational-Best-Practices-for-BCP-and-DR.yaml ├── Operational-Best-Practices-for-BNM-RMiT.yaml ├── Operational-Best-Practices-for-CCCS-Medium.yaml ├── Operational-Best-Practices-for-CCN-ENS-High.yaml ├── Operational-Best-Practices-for-CCN-ENS-Low.yaml ├── Operational-Best-Practices-for-CCN-ENS-Medium.yaml ├── Operational-Best-Practices-for-CIS-AWS-FB-v1.3-Level1.yaml ├── Operational-Best-Practices-for-CIS-AWS-FB-v1.3-Level2.yaml ├── Operational-Best-Practices-for-CIS-AWS-v1.3-Level1.yaml ├── Operational-Best-Practices-for-CIS-AWS-v1.3-Level2.yaml ├── Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml ├── Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml ├── Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG1.yaml ├── Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG2.yaml ├── Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG3.yaml ├── Operational-Best-Practices-for-CIS-Top20.yaml ├── Operational-Best-Practices-for-CIS.yaml ├── Operational-Best-Practices-for-CISA-Cyber-Essentials.yaml ├── Operational-Best-Practices-for-CJIS.yaml ├── Operational-Best-Practices-for-CMMC-2.0-Level-1.yaml ├── Operational-Best-Practices-for-CMMC-2.0-Level-2.yaml ├── Operational-Best-Practices-for-CloudWatch.yaml ├── Operational-Best-Practices-for-Compute-Services.yaml ├── Operational-Best-Practices-for-Data-Resiliency.yaml ├── Operational-Best-Practices-for-Database-Services.yaml ├── Operational-Best-Practices-for-Datalakes-and-Analytics-Services.yaml ├── Operational-Best-Practices-for-DevOps.yaml ├── Operational-Best-Practices-for-EC2.yaml ├── Operational-Best-Practices-for-ENISA-Cybersecurity-Guide.yaml ├── Operational-Best-Practices-for-Encryption-and-Keys.yaml ├── Operational-Best-Practices-for-FDA-21CFR-Part-11.yaml ├── Operational-Best-Practices-for-FFIEC.yaml ├── Operational-Best-Practices-for-FedRAMP-HighPart1.yaml ├── Operational-Best-Practices-for-FedRAMP-HighPart2.yaml ├── Operational-Best-Practices-for-FedRAMP-Low.yaml ├── Operational-Best-Practices-for-FedRAMP-Moderate.yaml ├── Operational-Best-Practices-for-FedRAMP.yaml ├── Operational-Best-Practices-for-Germany-C5.yaml ├── Operational-Best-Practices-for-Gramm-Leach-Bliley-Act.yaml ├── Operational-Best-Practices-for-GxP-EU-Annex-11.yaml ├── Operational-Best-Practices-for-HIPAA-Security.yaml ├── Operational-Best-Practices-for-IRS-1075.yaml ├── Operational-Best-Practices-for-KISMS-cpack.yaml ├── Operational-Best-Practices-for-KISMS.yaml ├── Operational-Best-Practices-for-Load-Balancing.yaml ├── Operational-Best-Practices-for-Logging.yaml ├── Operational-Best-Practices-for-MAS-Notice-655.yaml ├── Operational-Best-Practices-for-MAS-TRMG.yaml ├── Operational-Best-Practices-for-Management-Governance-Services.yaml ├── Operational-Best-Practices-for-Monitoring.yaml ├── Operational-Best-Practices-for-NBC-TRMG.yaml ├── Operational-Best-Practices-for-NCSC-CAF.yaml ├── Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml ├── Operational-Best-Practices-for-NERC-CIP-BCSI.yaml ├── Operational-Best-Practices-for-NERC-CIP.yaml ├── Operational-Best-Practices-for-NIST-1800-25.yaml ├── Operational-Best-Practices-for-NIST-800-171.yaml ├── Operational-Best-Practices-for-NIST-800-172.yaml ├── Operational-Best-Practices-for-NIST-800-53-rev-4.yaml ├── Operational-Best-Practices-for-NIST-800-53-rev-5.yaml ├── Operational-Best-Practices-for-NIST-CSF.yaml ├── Operational-Best-Practices-for-NIST-Privacy-Framework.yaml ├── Operational-Best-Practices-for-NYDFS-23-NYCRR-500.yaml ├── Operational-Best-Practices-for-NZISM.yaml ├── Operational-Best-Practices-for-Networking-Services.yaml ├── Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes.yaml ├── Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes.yml ├── Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes.yaml ├── Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes.yml ├── Operational-Best-Practices-for-PCI-DSS.yaml ├── Operational-Best-Practices-for-Publicly-Accessible-Resources.yaml ├── Operational-Best-Practices-for-RBI-Basic-Cyber-Security-Framework.yaml ├── Operational-Best-Practices-for-RBI-MasterDirection.yaml ├── Operational-Best-Practices-for-SWIFT-CSP.yaml ├── Operational-Best-Practices-for-Security-Services.yaml ├── Operational-Best-Practices-for-Serverless.yaml ├── Operational-Best-Practices-for-Storage-Services.yaml ├── README.md ├── Security-Best-Practices-for-AWS-WAF.yaml ├── Security-Best-Practices-for-Amazon-OpenSearch-Service.yaml ├── Security-Best-Practices-for-AutoScaling.yaml ├── Security-Best-Practices-for-CloudFront.yaml ├── Security-Best-Practices-for-CloudTrail.yaml ├── Security-Best-Practices-for-CodeBuild.yaml ├── Security-Best-Practices-for-ECR.yaml ├── Security-Best-Practices-for-ECS.yaml ├── Security-Best-Practices-for-EFS.yaml ├── Security-Best-Practices-for-EKS.yaml ├── Security-Best-Practices-for-Lambda.yaml ├── Security-Best-Practices-for-Network-Firewall.yaml ├── Security-Best-Practices-for-RDS.yaml ├── Security-Best-Practices-for-Redshift.yaml ├── Security-Best-Practices-for-SageMaker.yaml ├── Security-Best-Practices-for-Secrets-Manager.yaml └── custom-conformance-pack.yaml ├── java ├── HOWTO.md ├── RULES_JAVA.md ├── pom.xml └── src │ ├── main │ └── java │ │ └── com │ │ └── amazonaws │ │ └── services │ │ └── config │ │ └── samplerules │ │ ├── DbInstanceBackupParameters.java │ │ ├── DesiredInstanceTenancy.java │ │ ├── RootAccountMFAEnabled.java │ │ └── exception │ │ └── FunctionExecutionException.java │ └── test │ └── java │ └── com │ └── amazonaws │ └── services │ └── config │ └── samplerules │ ├── DbInstanceBackupParametersTest.java │ ├── DesiredInstanceTenancyTest.java │ └── RootAccountMFAEnabledTest.java ├── node ├── iam_access_key_rotation-triggered.js ├── iam_mfa_require-triggered.js ├── instance_desired_tenancy-triggered.js └── rds_db_instance_encrypted.js ├── python-rdklib ├── AMI_DEPRECATED_CHECK │ ├── AMI_DEPRECATED_CHECK.py │ ├── AMI_DEPRECATED_CHECK_test.py │ ├── README.md │ ├── ec2_rule_report.png │ └── parameters.json ├── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH │ ├── README.md │ ├── config_rule │ │ ├── config-version │ │ │ └── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH │ │ │ │ ├── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH.py │ │ │ │ ├── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH_test.py │ │ │ │ └── parameters.json │ │ └── ec2_version │ │ │ └── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH │ │ │ ├── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH.py │ │ │ ├── EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH_test.py │ │ │ └── parameters.json │ └── ssm_automation │ │ └── ec2_tag_volumes_ssm_document_executeScript.yaml ├── README.md └── SECURITYHUB_ENABLED │ ├── SECURITYHUB_ENABLED.py │ └── parameters.json └── python ├── ' RDK parameters.json for AWS Managed Config Rules ├── ACM_CERTIFICATE_EXPIRATION_CHECK │ ├── Readme.md │ └── parameters.json ├── ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK │ ├── Readme.md │ └── parameters.json ├── API_GW_CACHE_ENABLED_AND_ENCRYPTED │ ├── Readme.md │ └── parameters.json ├── API_GW_ENDPOINT_TYPE_CHECK │ ├── Readme.md │ └── parameters.json ├── CLOUDFRONT_VIEWER_POLICY_HTTPS │ ├── Readme.md │ └── parameters.json ├── CLOUDTRAIL_S3_DATAEVENTS_ENABLED │ ├── Readme.md │ └── parameters.json ├── CLOUDWATCH_LOG_GROUP_ENCRYPTED │ ├── Readme.md │ └── parameters.json ├── CLOUD_TRAIL_ENCRYPTION_ENABLED │ ├── Readme.md │ └── parameters.json ├── CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED │ ├── Readme.md │ └── parameters.json ├── CMK_BACKING_KEY_ROTATION_ENABLED │ ├── Readme.md │ └── parameters.json ├── DB_INSTANCE_BACKUP_ENABLED │ ├── Readme.md │ └── parameters.json ├── DYNAMODB_TABLE_ENCRYPTION_ENABLED │ ├── Readme.md │ └── parameters.json ├── EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK │ ├── Readme.md │ └── parameters.json ├── EC2_ASSOCIATION_COMPLIANCE_STATUS_CHECK │ ├── Readme.md │ └── parameters.json ├── EC2_INSTANCE_MANAGED_BY_SSM │ ├── Readme.md │ └── parameters.json ├── EC2_INSTANCE_NO_PUBLIC_IP │ ├── EC2_INSTANCE_NO_PUBLIC_IP.py │ ├── EC2_INSTANCE_NO_PUBLIC_IP_test.py │ ├── Readme.md │ └── parameters.json ├── EC2_PATCH_COMPLIANCE_STATUS_CHECK │ ├── Readme.md │ └── parameters.json ├── EC2_SECURITY_GROUP_ATTACHED_TO_ENI │ ├── Readme.md │ └── parameters.json ├── EC2_VOLUME_INUSE_CHECK │ ├── Readme.md │ └── parameters.json ├── EFS_ENCRYPTED_CHECK │ ├── Readme.md │ └── parameters.json ├── ELASTICSEARCH_ENCRYPTED_AT_REST │ ├── Readme.md │ └── parameters.json ├── ELASTICSEARCH_IN_VPC_ONLY │ ├── Readme.md │ └── parameters.json ├── ELB_ACM_CERTIFICATE_REQUIRED │ ├── Readme.md │ └── parameters.json ├── ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK │ ├── Readme.md │ └── parameters.json ├── ELB_LOGGING_ENABLED │ ├── Readme.md │ └── parameters.json ├── ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK │ ├── Readme.md │ └── parameters.json ├── GUARDDUTY_ENABLED_CENTRALIZED │ ├── Readme.md │ └── parameters.json ├── IAM_PASSWORD_POLICY │ ├── Readme.md │ └── parameters.json ├── IAM_USER_MFA_ENABLED │ ├── Readme.md │ └── parameters.json ├── IAM_USER_UNUSED_CREDENTIALS_CHECK │ ├── Readme.md │ └── parameters.json ├── LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED │ ├── Readme.md │ └── parameters.json ├── MULTI_REGION_CLOUD_TRAIL_ENABLED │ ├── Readme.md │ └── parameters.json ├── RDS_INSTANCE_PUBLIC_ACCESS_CHECK │ ├── Readme.md │ └── parameters.json ├── RDS_MULTI_AZ_SUPPORT │ ├── Readme.md │ └── parameters.json ├── RDS_SNAPSHOTS_PUBLIC_PROHIBITED │ ├── Readme.md │ └── parameters.json ├── RDS_STORAGE_ENCRYPTED │ ├── Readme.md │ └── parameters.json ├── REDSHIFT_CLUSTER_CONFIGURATION_CHECK │ ├── Readme.md │ └── parameters.json ├── REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK │ ├── Readme.md │ └── parameters.json ├── ROOT_ACCOUNT_MFA_ENABLED │ ├── Readme.md │ └── parameters.json ├── S3_BUCKET_LOGGING_ENABLED │ ├── Readme.md │ └── parameters.json ├── S3_BUCKET_PUBLIC_READ_PROHIBITED │ ├── Readme.md │ └── parameters.json ├── S3_BUCKET_PUBLIC_WRITE_PROHIBITED │ ├── Readme.md │ └── parameters.json ├── S3_BUCKET_SSL_REQUESTS_ONLY │ ├── Readme.md │ └── parameters.json ├── S3_BUCKET_VERSIONING_ENABLED │ ├── Readme.md │ └── parameters.json ├── VPC_DEFAULT_SECURITY_GROUP_CLOSED │ ├── Readme.md │ └── parameters.json ├── VPC_FLOW_LOGS_ENABLED │ ├── Readme.md │ └── parameters.json ├── VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS │ ├── Readme.md │ └── parameters.json └── VPC_VPN_2_TUNNELS_UP │ ├── Readme.md │ └── parameters.json ├── ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ├── ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK.py ├── ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK_test.py └── parameters.json ├── AMI_NOT_PUBLIC_CHECK ├── AMI_NOT_PUBLIC_CHECK.py ├── AMI_NOT_PUBLIC_CHECK_test.py └── parameters.json ├── AMI_OUTDATED_CHECK ├── AMI_OUTDATED_CHECK.py ├── AMI_OUTDATED_CHECK_test.py └── parameters.json ├── AMI_OWNERID_CHECK ├── AMI_OWNERID_CHECK.py └── parameters.json ├── API_GW_AUTHORIZER_IN_PLACE ├── API_GW_AUTHORIZER_IN_PLACE.py └── parameters.json ├── API_GW_CACHE_ENABLED_AND_ENCRYPTED ├── API_GW_CACHE_ENABLED_AND_ENCRYPTED.py ├── API_GW_CACHE_ENABLED_AND_ENCRYPTED_test.py └── parameters.json ├── API_GW_ENDPOINT_TYPE_CHECK ├── API_GW_ENDPOINT_TYPE_CHECK.py ├── API_GW_ENDPOINT_TYPE_CHECK_test.py └── parameters.json ├── API_GW_EXECUTION_LOGGING_ENABLED ├── API_GW_EXECUTION_LOGGING_ENABLED.py ├── API_GW_EXECUTION_LOGGING_ENABLED_test.py └── parameters.json ├── API_GW_NOT_EDGE_OPTIMISED ├── API_GW_NOT_EDGE_OPTIMISED.py ├── API_GW_NOT_EDGE_OPTIMISED_test.py └── parameters.json ├── API_GW_PRIVATE_RESTRICTED ├── API_GW_PRIVATE_RESTRICTED.py ├── API_GW_PRIVATE_RESTRICTED_test.py └── parameters.json ├── API_GW_RESTRICTED_IP ├── API_GW_RESTRICTED_IP.py ├── API_GW_RESTRICTED_IP_test.py └── parameters.json ├── BUSINESS_SUPPORT_OR_ABOVE_ENABLED ├── BUSINESS_SUPPORT_OR_ABOVE_ENABLED.py ├── BUSINESS_SUPPORT_OR_ABOVE_ENABLED_test.py └── parameters.json ├── CLOUDFRONT_LOGGING_ENABLED ├── CLOUDFRONT_LOGGING_ENABLED.py ├── CLOUDFRONT_LOGGING_ENABLED_test.py └── parameters.json ├── CLOUDFRONT_VIEWER_POLICY_HTTPS ├── CLOUDFRONT_VIEWER_POLICY_HTTPS.py ├── CLOUDFRONT_VIEWER_POLICY_HTTPS_test.py └── parameters.json ├── CLOUDFRONT_WEBACL_CHECK ├── CLOUDFRONT_WEBACL_CHECK.py ├── CLOUDFRONT_WEBACL_CHECK_test.py └── parameters.json ├── CLOUDTRAIL_ENABLED_V2 ├── CLOUDTRAIL_ENABLED_V2.py ├── CLOUDTRAIL_ENABLED_V2_test.py └── parameters.json ├── CLOUDTRAIL_S3_DATAEVENTS_ENABLED ├── CLOUDTRAIL_S3_DATAEVENTS_ENABLED.py ├── CLOUDTRAIL_S3_DATAEVENTS_ENABLED_test.py └── parameters.json ├── CLOUDWATCH_LOG_GROUP_ENCRYPTED ├── CLOUDWATCH_LOG_GROUP_ENCRYPTED.py ├── CLOUDWATCH_LOG_GROUP_ENCRYPTED_test.py └── parameters.json ├── DMS_REPLICATION_NOT_PUBLIC ├── DMS_REPLICATION_NOT_PUBLIC.py ├── DMS_REPLICATION_NOT_PUBLIC_test.py └── parameters.json ├── DYNAMODB_ENCRYPTED_CUSTOM ├── DYNAMODB_ENCRYPTED.py ├── DYNAMODB_ENCRYPTED_test.py └── parameters.json ├── EBS_ENCRYPTED_VOLUMES_V2 ├── EBS_ENCRYPTED_VOLUMES_V2.py ├── EBS_ENCRYPTED_VOLUMES_V2_test.py └── parameters.json ├── EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK ├── EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK.py ├── EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK_test.py └── parameters.json ├── EC2_INSTANCE_LICENSE_INCLUDED_DEDICATED_HOST ├── EC2_INSTANCE_LICENSE_INCLUDED_DEDICATED_HOST.py ├── EC2_INSTANCE_LICENSE_INCLUDED_DEDICATED_HOST_test.py └── parameters.json ├── EC2_INSTANCE_NO_PUBLIC_IP ├── EC2_INSTANCE_NO_PUBLIC_IP.py ├── EC2_INSTANCE_NO_PUBLIC_IP_test.py └── parameters.json ├── EC2_SECURITY_GROUP_BADINGRESS ├── EC2_SECURITY_GROUP_BADINGRESS.py └── parameters.json ├── EC2_SECURITY_GROUP_NOT_USED ├── EC2_SECURITY_GROUP_NOT_USED.py ├── EC2_SECURITY_GROUP_NOT_USED_test.py └── parameters.json ├── EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME ├── EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME.py ├── EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME_test.py └── parameters.json ├── ECR_REPOSITORY_SCAN_ON_PUSH_CHECK ├── ECR_REPOSITORY_SCAN_ON_PUSH_CHECK.py ├── ECR_REPOSITORY_SCAN_ON_PUSH_CHECK_test.py └── parameters.json ├── ECS_AWSLOGS_CHECK ├── ECS_AWSLOGS_CHECK.py └── parameters.json ├── ECS_ECRIMAGE_CHECK ├── ECS_ECRIMAGE_CHECK.py └── parameters.json ├── EFS_ENCRYPTED_CHECK ├── EFS_ENCRYPTED_CHECK.py ├── EFS_ENCRYPTED_CHECK_test.py └── parameters.json ├── EKS_LOGGING_CHECK ├── EKS_LOGGING_CHECK.py └── parameters.json ├── EKS_PUBLIC_ACCESS ├── EKS_PUBLIC_ACCESS.py └── parameters.json ├── ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK ├── ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK.py ├── ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK_test.py └── parameters.json ├── ELASTICSEARCH_ENCRYPTED_AT_REST ├── ELASTICSEARCH_ENCRYPTED_AT_REST.py ├── ELASTICSEARCH_ENCRYPTED_AT_REST_test.py └── parameters.json ├── ELASTICSEARCH_IN_VPC_ONLY ├── ELASTICSEARCH_IN_VPC_ONLY.py ├── ELASTICSEARCH_IN_VPC_ONLY_test.py └── parameters.json ├── ELB_ALB_PREDEFINED_SSL_CHECK ├── ELB_ALB_PREDEFINED_SSL_CHECK.py ├── ELB_ALB_PREDEFINED_SSL_CHECK_test.py └── parameters.json ├── ELB_DELETION_PROTECTION_ENABLED ├── ELB_DELETION_PROTECTION_ENABLED.py ├── ELB_DELETION_PROTECTION_ENABLED_test.py └── parameters.json ├── EMR_KERBEROS_ENABLED ├── EMR_KERBEROS_ENABLED.py ├── EMR_KERBEROS_ENABLED_test.py └── parameters.json ├── EMR_MASTER_NO_PUBLIC_IP ├── EMR_MASTER_NO_PUBLIC_IP.py ├── EMR_MASTER_NO_PUBLIC_IP_test.py └── parameters.json ├── EMR_SECURITY_GROUPS_RESTRICTED ├── EMR_SECURITY_GROUPS_RESTRICTED.py ├── EMR_SECURITY_GROUPS_RESTRICTED_test.py └── parameters.json ├── ENTERPRISE_SUPPORT_PLAN_ENABLED ├── ENTERPRISE_SUPPORT_PLAN_ENABLED.py ├── ENTERPRISE_SUPPORT_PLAN_ENABLED_test.py └── parameters.json ├── GUARDDUTY_UNTREATED_FINDINGS ├── GUARDDUTY_UNTREATED_FINDINGS.py ├── GUARDDUTY_UNTREATED_FINDINGS_test.py └── parameters.json ├── IAM_ACCESS_KEY_ROTATED ├── IAM_ACCESS_KEY_ROTATED.py ├── IAM_ACCESS_KEY_ROTATED_test.py └── parameters.json ├── IAM_GROUP_NO_POLICY_FULL_STAR ├── IAM_GROUP_NO_POLICY_FULL_STAR.py ├── IAM_GROUP_NO_POLICY_FULL_STAR_test.py └── parameters.json ├── IAM_IP_RESTRICTION ├── IAM_IP_RESTRICTION.py ├── IAM_IP_RESTRICTION_test.py └── parameters.json ├── IAM_NO_USER ├── IAM_NO_USER.py ├── IAM_NO_USER_test.py └── parameters.json ├── IAM_POLICY_REQUIRED ├── IAM_POLICY_REQUIRED.py ├── IAM_POLICY_REQUIRED_test.py └── parameters.json ├── IAM_ROLE_NO_POLICY_FULL_STAR ├── IAM_ROLE_NO_POLICY_FULL_STAR.py ├── IAM_ROLE_NO_POLICY_FULL_STAR_test.py └── parameters.json ├── IAM_USER_MATCHES_REGEX_PATTERN ├── IAM_USER_MATCHES_REGEX_PATTERN.py ├── IAM_USER_MATCHES_REGEX_PATTERN_test.py └── parameters.json ├── IAM_USER_MFA_ENABLED ├── IAM_USER_MFA_ENABLED.py ├── IAM_USER_MFA_ENABLED_test.py └── parameters.json ├── IAM_USER_NO_POLICY_FULL_STAR ├── IAM_USER_NO_POLICY_FULL_STAR.py ├── IAM_USER_NO_POLICY_FULL_STAR_test.py └── parameters.json ├── IAM_USER_PERMISSION_BOUNDARY_CHECK ├── IAM_USER_PERMISSION_BOUNDARY_CHECK.py ├── IAM_USER_PERMISSION_BOUNDARY_CHECK_test.py └── parameters.json ├── IAM_USER_USED_LAST_90_DAYS ├── IAM_USER_USED_LAST_90_DAYS.py ├── IAM_USER_USED_LAST_90_DAYS_test.py └── parameters.json ├── INSTANCE_PROFILE_HAVE_DEFINED_POLICIES ├── INSTANCE_PROFILE_HAVE_DEFINED_POLICIES.py ├── INSTANCE_PROFILE_HAVE_DEFINED_POLICIES_test.py └── parameters.json ├── INTERNET_GATEWAY_AUTHORIZED_ONLY ├── INTERNET_GATEWAY_AUTHORIZED_ONLY.py ├── INTERNET_GATEWAY_AUTHORIZED_ONLY_test.py └── parameters.json ├── KMS_KEYS_TO_NOT_DELETE ├── KMS_KEYS_TO_NOT_DELETE.py ├── KMS_KEYS_TO_NOT_DELETE_test.py └── parameters.json ├── LAMBDA_CODE_IS_VERSIONED ├── LAMBDA_CODE_IS_VERSIONED.py ├── LAMBDA_CODE_IS_VERSIONED_test.py └── parameters.json ├── LAMBDA_CONCURRENCY_CHECK ├── LAMBDA_CONCURRENCY_CHECK.py ├── LAMBDA_CONCURRENCY_CHECK_test.py └── parameters.json ├── LAMBDA_DLQ_CHECK ├── LAMBDA_DLQ_CHECK.py ├── LAMBDA_DLQ_CHECK_test.py └── parameters.json ├── LAMBDA_INSIDE_VPC ├── LAMBDA_INSIDE_VPC.py ├── LAMBDA_INSIDE_VPC_test.py └── parameters.json ├── LAMBDA_ROLE_ALLOWED_ON_LOGGING ├── LAMBDA_ROLE_ALLOWED_ON_LOGGING.py ├── LAMBDA_ROLE_ALLOWED_ON_LOGGING_test.py └── parameters.json ├── RDS_ENHANCED_MONITORING_ENABLED ├── RDS_ENHANCED_MONITORING_ENABLED.py ├── RDS_ENHANCED_MONITORING_ENABLED_test.py └── parameters.json ├── REDSHIFT_AUDIT_ENABLED ├── REDSHIFT_AUDIT_ENABLED.py ├── REDSHIFT_AUDIT_ENABLED_test.py └── parameters.json ├── REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK ├── REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK.py ├── REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK_test.py └── parameters.json ├── REDSHIFT_DB_ENCRYPTED ├── REDSHIFT_DB_ENCRYPTED.py ├── REDSHIFT_DB_ENCRYPTED_test.py └── parameters.json ├── REDSHIFT_FIPS_REQUIRED ├── REDSHIFT_FIPS_REQUIRED.py ├── REDSHIFT_FIPS_REQUIRED_test.py └── parameters.json ├── REDSHIFT_SSL_REQUIRED ├── REDSHIFT_SSL_REQUIRED.py ├── REDSHIFT_SSL_REQUIRED_test.py └── parameters.json ├── REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED ├── REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED.py ├── REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED_test.py └── parameters.json ├── REST_API_GW_CUSTOMDOMAIN_CHECK ├── REST_API_GW_CUSTOMDOMAIN_CHECK.py ├── REST_API_GW_CUSTOMDOMAIN_CHECK_test.py └── parameters.json ├── ROOT_NO_ACCESS_KEY ├── ROOT_NO_ACCESS_KEY.py ├── ROOT_NO_ACCESS_KEY_test.py └── parameters.json ├── S3_BUCKET_NAMING_CONVENTION ├── S3_BUCKET_NAMING_CONVENTION.py ├── S3_BUCKET_NAMING_CONVENTION_test.py └── parameters.json ├── S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT ├── README.md ├── S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT.PY ├── S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT_TEST.py └── parameters.json ├── S3_VPC_ENDPOINT_ENABLED ├── S3_VPC_ENDPOINT_ENABLED.py ├── S3_VPC_ENDPOINT_ENABLED_test.py └── parameters.json ├── SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED ├── SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED.py ├── SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED_test.py └── parameters.json ├── SAGEMAKER_NOTEBOOK_KMS_CONFIGURED ├── SAGEMAKER_NOTEBOOK_KMS_CONFIGURED.py ├── SAGEMAKER_NOTEBOOK_KMS_CONFIGURED_test.py └── parameters.json ├── SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS ├── SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS.py ├── SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS_test.py └── parameters.json ├── SECRETSMANAGER_MAX_SECRET_AGE ├── SECRETSMANAGER_MAX_SECRET_AGE.py ├── SECRETSMANAGER_MAX_SECRET_AGE_test.py └── parameters.json ├── SHIELD_ADVANCED_ENABLED_AUTORENEW ├── Readme.md ├── SHIELD_ADVANCED_ENABLED_AUTORENEW.py ├── SHIELD_ADVANCED_ENABLED_AUTORENEW_test.py └── parameters.json ├── SHIELD_DRT_ACCESS ├── SHIELD_DRT_ACCESS.py ├── SHIELD_DRT_ACCESS_test.py └── parameters.json ├── SNS_ENCRYPTED_TOPIC_CHECK ├── SNS_ENCRYPTED_TOPIC_CHECK.py ├── SNS_ENCRYPTED_TOPIC_CHECK_test.py └── parameters.json ├── SNS_TOPIC_EMAIL_SUB_IN_DOMAINS ├── SNS_TOPIC_EMAIL_SUB_IN_DOMAINS.py ├── SNS_TOPIC_EMAIL_SUB_IN_DOMAINS_test.py └── parameters.json ├── SQS_ENCRYPTION_CHECK ├── SQS_ENCRYPTION_CHECK.py ├── SQS_ENCRYPTION_CHECK_test.py └── parameters.json ├── SQS_PUBLIC_ACCESS_CHECK ├── SQS_PUBLIC_ACCESS_CHECK.py ├── SQS_PUBLIC_ACCESS_CHECK_test.py └── parameters.json ├── SQS_TRANSIT_ENCRYPTION_CHECK ├── SQS_TRANSIT_ENCRYPTION_CHECK.py ├── SQS_TRANSIT_ENCRYPTION_CHECK_test.py └── parameters.json ├── VPC_ENDPOINT_DEFAULT_POLICY ├── VPC_ENDPOINT_DEFAULT_POLICY.py ├── VPC_ENDPOINT_DEFAULT_POLICY_test.py └── parameter.json ├── VPC_ENDPOINT_MANUAL_ACCEPTANCE ├── VPC_ENDPOINT_MANUAL_ACCEPTANCE.py ├── VPC_ENDPOINT_MANUAL_ACCEPTANCE_test.py └── parameters.json ├── VPC_FLOW_LOGS_ENABLED_CUSTOM ├── VPC_FLOW_LOGS_ENABLED_CUSTOM.py ├── VPC_FLOW_LOGS_ENABLED_CUSTOM_test.py └── parameters.json ├── VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS ├── VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS.py ├── VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS_test.py └── parameters.json ├── VPC_VPN_2_TUNNELS_UP ├── VPC_VPN_2_TUNNELS_UP.py ├── VPC_VPN_2_TUNNELS_UP_test.py └── parameters.json ├── WAFV2_WEBACL_LOGGING_ENABLED ├── WAFV2_WEBACL_LOGGING_ENABLED.py ├── WAFV2_WEBACL_LOGGING_ENABLED_test.py └── parameters.json ├── cloudtrail_encrypted.py ├── cloudtrail_lfi_activated.py ├── config_enabled.py ├── config_rules_exist.py ├── ec2-exposed-instance.py ├── ec2_desired_instance_type.py ├── ec2_desired_lifecycle_spot.py ├── ec2_launch_wizard_security_group_prohibited.py ├── ec2_no_internet_access.py ├── ec2_require_ebs_snapshots_for_volumes.py ├── ec2_require_security_group_by_tag.py ├── ec2_require_tags_with_valid_values.py ├── ec2_security_group_ingress.py ├── ec2_security_group_port_range_all_prohibited.py ├── ec2_security_group_protocol_all_prohibited.py ├── ec2_vpc_public_subnet.py ├── iam_mfa_for_console_access.py ├── iam_policy_exists.py ├── iam_unused_keys.py ├── lambda_require_tags_with_valid_values.py ├── pylintrc ├── rds_desired_instance_type.py ├── rds_vpc_public_subnet.py ├── s3_bucket_default_encryption_enabled.py └── s3_bucket_policy_prohibited.py /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | I confirm these files are made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 2 | 3 | *Issue #, if available:* 4 | 5 | *Description of changes:* 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.zip 2 | *.DS_Store 3 | __pycache__/ 4 | *.pyc -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to AWS Config Rules Repository 2 | Welcome to the contributing section. Thanks a lot for considering going through the process, we will make is as enjoyable as possible! 3 | 4 | ## Our Mission 5 | Build high-quality rules that can be reused or inspire the community. 6 | 7 | ## Building your first Rule 8 | We are recommending to use the [Rule Development Kit](https://github.com/awslabs/aws-config-rdk). The RDK increases your rule coding speed by an order of magnitude and you can get started relatively fast. We suggest to use Python due to the maturity of the tooling and the community. 9 | 10 | Here's a blog post to get started with the RDK: https://aws.amazon.com/blogs/mt/how-to-develop-custom-aws-config-rules-using-the-rule-development-kit/ 11 | 12 | ## Publishing your Rule 13 | 1. (python) Pylint your rule using pylint and the rcfile python/pylintrc 14 | 2. Do a Pull Request from your fork. 15 | 3. (python) Good-bot will verify that your score is 10/10 with no findings. 16 | 4. Our team will review it manually and merge your PR. 17 | 5. Et voila! 18 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Operational-Best-Practices-for-API-Gateway.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for API ApiGateway 5 | # 6 | # This conformance pack helps verify compliance with requirements. 7 | # 8 | # See Parameters section for names and descriptions of required parameters. 9 | # 10 | ################################################################################## 11 | 12 | Parameters: 13 | ApiGwEndpointTypeCheckParamEndpointConfigurationTypes: 14 | Default: REGIONAL, PRIVATE, EDGE 15 | Type: String 16 | Resources: 17 | ApiGwAssociatedWithWaf: 18 | Properties: 19 | ConfigRuleName: api-gw-associated-with-waf 20 | Scope: 21 | ComplianceResourceTypes: 22 | - AWS::ApiGateway::Stage 23 | Source: 24 | Owner: AWS 25 | SourceIdentifier: API_GW_ASSOCIATED_WITH_WAF 26 | Type: AWS::Config::ConfigRule 27 | ApiGwCacheEnabledAndEncrypted: 28 | Properties: 29 | ConfigRuleName: api-gw-cache-enabled-and-encrypted 30 | Scope: 31 | ComplianceResourceTypes: 32 | - AWS::ApiGateway::Stage 33 | Source: 34 | Owner: AWS 35 | SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED 36 | Type: AWS::Config::ConfigRule 37 | ApiGwEndpointTypeCheck: 38 | Properties: 39 | ConfigRuleName: api-gw-endpoint-type-check 40 | InputParameters: 41 | endpointConfigurationTypes: 42 | Fn::If: 43 | - apiGwEndpointTypeCheckParamEndpointConfigurationTypes 44 | - Ref: ApiGwEndpointTypeCheckParamEndpointConfigurationTypes 45 | - Ref: AWS::NoValue 46 | Scope: 47 | ComplianceResourceTypes: 48 | - AWS::ApiGateway::RestApi 49 | Source: 50 | Owner: AWS 51 | SourceIdentifier: API_GW_ENDPOINT_TYPE_CHECK 52 | Type: AWS::Config::ConfigRule 53 | ApiGwExecutionLoggingEnabled: 54 | Properties: 55 | ConfigRuleName: api-gw-execution-logging-enabled 56 | Scope: 57 | ComplianceResourceTypes: 58 | - AWS::ApiGateway::Stage 59 | - AWS::ApiGatewayV2::Stage 60 | Source: 61 | Owner: AWS 62 | SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED 63 | Type: AWS::Config::ConfigRule 64 | ApiGwSslEnabled: 65 | Properties: 66 | ConfigRuleName: api-gw-ssl-enabled 67 | Scope: 68 | ComplianceResourceTypes: 69 | - AWS::ApiGateway::Stage 70 | Source: 71 | Owner: AWS 72 | SourceIdentifier: API_GW_SSL_ENABLED 73 | Type: AWS::Config::ConfigRule 74 | ApiGwXrayEnabled: 75 | Properties: 76 | ConfigRuleName: api-gw-xray-enabled 77 | Scope: 78 | ComplianceResourceTypes: 79 | - AWS::ApiGateway::Stage 80 | Source: 81 | Owner: AWS 82 | SourceIdentifier: API_GW_XRAY_ENABLED 83 | Type: AWS::Config::ConfigRule 84 | CloudTrailCloudWatchLogsEnabled: 85 | Properties: 86 | ConfigRuleName: cloud-trail-cloud-watch-logs-enabled 87 | Source: 88 | Owner: AWS 89 | SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED 90 | Type: AWS::Config::ConfigRule 91 | CloudTrailEnabled: 92 | Properties: 93 | ConfigRuleName: cloudtrail-enabled 94 | Source: 95 | Owner: AWS 96 | SourceIdentifier: CLOUD_TRAIL_ENABLED 97 | Type: AWS::Config::ConfigRule 98 | Conditions: 99 | apiGwEndpointTypeCheckParamEndpointConfigurationTypes: 100 | Fn::Not: 101 | - Fn::Equals: 102 | - '' 103 | - Ref: ApiGwEndpointTypeCheckParamEndpointConfigurationTypes 104 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Operational-Best-Practices-for-Amazon-DynamoDB-with-Remediation.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for Amazon DynamoDB, with Remediation 5 | # 6 | # See Parameters section for names and descriptions of required parameters. 7 | # 8 | ################################################################################ 9 | 10 | Parameters: 11 | SnsTopicForPublishNotificationArn: 12 | Description: The ARN of the SNS topic to which the notification about the auto-remediation status should be published. 13 | Type: String 14 | 15 | Resources: 16 | DynamoDbAutoscalingEnabled: 17 | Properties: 18 | ConfigRuleName: DynamoDbAutoscalingEnabled 19 | Description: "This rule checks whether Auto Scaling is enabled on your DynamoDB tables. Optionally you can set the read and write capacity units for the table." 20 | MaximumExecutionFrequency: Six_Hours 21 | Scope: 22 | ComplianceResourceTypes: 23 | - "AWS::DynamoDB::Table" 24 | Source: 25 | Owner: AWS 26 | SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED 27 | Type: "AWS::Config::ConfigRule" 28 | DynamoDbAutoscalingEnabledManualRemediation: 29 | DependsOn: DynamoDbAutoscalingEnabled 30 | Type: 'AWS::Config::RemediationConfiguration' 31 | Properties: 32 | ConfigRuleName: DynamoDbAutoscalingEnabled 33 | ResourceType: "AWS::DynamoDB::Table" 34 | TargetId: "AWS-PublishSNSNotification" 35 | TargetType: "SSM_DOCUMENT" 36 | TargetVersion: "1" 37 | Parameters: 38 | AutomationAssumeRole: 39 | StaticValue: 40 | Values: 41 | - "arn:aws:iam:::role/PublishSnsAutomationExecutionRole" 42 | Message: 43 | StaticValue: 44 | Values: 45 | - "A table with no autoscaling configuration found" 46 | TopicArn: 47 | StaticValue: 48 | Values: 49 | - Ref: SnsTopicForPublishNotificationArn 50 | 51 | DynamoDbThroughputLimitCheck: 52 | Properties: 53 | ConfigRuleName: DynamoDbThroughputLimitCheck 54 | Description: "Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account." 55 | MaximumExecutionFrequency: Six_Hours 56 | Source: 57 | Owner: AWS 58 | SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK 59 | Type: "AWS::Config::ConfigRule" 60 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Operational-Best-Practices-for-Amazon-DynamoDB.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for Amazon DynamoDB 5 | # 6 | ################################################################################ 7 | 8 | Parameters: 9 | DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage: 10 | Default: '80' 11 | Type: String 12 | DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage: 13 | Default: '80' 14 | Type: String 15 | ServiceVpcEndpointEnabledParamServiceName: 16 | Default: dynamodb 17 | Type: String 18 | Resources: 19 | DaxEncryptionEnabled: 20 | Properties: 21 | ConfigRuleName: dax-encryption-enabled 22 | Source: 23 | Owner: AWS 24 | SourceIdentifier: DAX_ENCRYPTION_ENABLED 25 | Type: AWS::Config::ConfigRule 26 | DynamodbAutoscalingEnabled: 27 | Properties: 28 | ConfigRuleName: dynamodb-autoscaling-enabled 29 | Scope: 30 | ComplianceResourceTypes: 31 | - AWS::DynamoDB::Table 32 | Source: 33 | Owner: AWS 34 | SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED 35 | Type: AWS::Config::ConfigRule 36 | DynamodbInBackupPlan: 37 | Properties: 38 | ConfigRuleName: dynamodb-in-backup-plan 39 | Source: 40 | Owner: AWS 41 | SourceIdentifier: DYNAMODB_IN_BACKUP_PLAN 42 | Type: AWS::Config::ConfigRule 43 | DynamodbPitrEnabled: 44 | Properties: 45 | ConfigRuleName: dynamodb-pitr-enabled 46 | Scope: 47 | ComplianceResourceTypes: 48 | - AWS::DynamoDB::Table 49 | Source: 50 | Owner: AWS 51 | SourceIdentifier: DYNAMODB_PITR_ENABLED 52 | Type: AWS::Config::ConfigRule 53 | DynamodbTableEncryptedKms: 54 | Properties: 55 | ConfigRuleName: dynamodb-table-encrypted-kms 56 | Scope: 57 | ComplianceResourceTypes: 58 | - AWS::DynamoDB::Table 59 | Source: 60 | Owner: AWS 61 | SourceIdentifier: DYNAMODB_TABLE_ENCRYPTED_KMS 62 | Type: AWS::Config::ConfigRule 63 | DynamodbThroughputLimitCheck: 64 | Properties: 65 | ConfigRuleName: dynamodb-throughput-limit-check 66 | InputParameters: 67 | accountRCUThresholdPercentage: 68 | Fn::If: 69 | - dynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage 70 | - Ref: DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage 71 | - Ref: AWS::NoValue 72 | accountWCUThresholdPercentage: 73 | Fn::If: 74 | - dynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage 75 | - Ref: DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage 76 | - Ref: AWS::NoValue 77 | Source: 78 | Owner: AWS 79 | SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK 80 | Type: AWS::Config::ConfigRule 81 | ServiceVpcEndpointEnabled: 82 | Properties: 83 | ConfigRuleName: service-vpc-endpoint-enabled 84 | InputParameters: 85 | serviceName: 86 | Fn::If: 87 | - serviceVpcEndpointEnabledParamServiceName 88 | - Ref: ServiceVpcEndpointEnabledParamServiceName 89 | - Ref: AWS::NoValue 90 | Source: 91 | Owner: AWS 92 | SourceIdentifier: SERVICE_VPC_ENDPOINT_ENABLED 93 | Type: AWS::Config::ConfigRule 94 | Conditions: 95 | dynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage: 96 | Fn::Not: 97 | - Fn::Equals: 98 | - '' 99 | - Ref: DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage 100 | dynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage: 101 | Fn::Not: 102 | - Fn::Equals: 103 | - '' 104 | - Ref: DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage 105 | serviceVpcEndpointEnabledParamServiceName: 106 | Fn::Not: 107 | - Fn::Equals: 108 | - '' 109 | - Ref: ServiceVpcEndpointEnabledParamServiceName 110 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/README.md: -------------------------------------------------------------------------------- 1 | # Important 2 | > **Conformance packs provide a general-purpose compliance framework to help you create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. AWS conformance pack sample templates intend to help you create your own conformance packs with different or additional rules, input parameters and remediation actions that suit your environment. The sample templates, including those related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard. They can neither replace your internal efforts nor guarantee that you will pass a compliance assessment.** 3 | 4 | Here are the conformance pack YAML templates that you see in AWS Config console. Within each conformance pack template, you can use one or more AWS Config rules and remediation actions. The AWS Config rules listed within the conformance pack can be AWS Config managed rules and/or AWS Config custom rules. 5 | 6 | [Learn more about conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html) 7 | 8 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-AWS-WAF.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for AWS WAF 5 | # 6 | ################################################################################## 7 | 8 | Resources: 9 | AlbWafEnabled: 10 | Properties: 11 | ConfigRuleName: alb-waf-enabled 12 | Scope: 13 | ComplianceResourceTypes: 14 | - AWS::ElasticLoadBalancingV2::LoadBalancer 15 | Source: 16 | Owner: AWS 17 | SourceIdentifier: ALB_WAF_ENABLED 18 | Type: AWS::Config::ConfigRule 19 | ApiGwAssociatedWithWaf: 20 | Properties: 21 | ConfigRuleName: api-gw-associated-with-waf 22 | Scope: 23 | ComplianceResourceTypes: 24 | - AWS::ApiGateway::Stage 25 | Source: 26 | Owner: AWS 27 | SourceIdentifier: API_GW_ASSOCIATED_WITH_WAF 28 | Type: AWS::Config::ConfigRule 29 | WafRegionalRuleNotEmpty: 30 | Properties: 31 | ConfigRuleName: waf-regional-rule-not-empty 32 | Scope: 33 | ComplianceResourceTypes: 34 | - AWS::WAFRegional::Rule 35 | Source: 36 | Owner: AWS 37 | SourceIdentifier: WAF_REGIONAL_RULE_NOT_EMPTY 38 | Type: AWS::Config::ConfigRule 39 | WafRegionalRulegroupNotEmpty: 40 | Properties: 41 | ConfigRuleName: waf-regional-rulegroup-not-empty 42 | Scope: 43 | ComplianceResourceTypes: 44 | - AWS::WAFRegional::RuleGroup 45 | Source: 46 | Owner: AWS 47 | SourceIdentifier: WAF_REGIONAL_RULEGROUP_NOT_EMPTY 48 | Type: AWS::Config::ConfigRule 49 | WafRegionalWebaclNotEmpty: 50 | Properties: 51 | ConfigRuleName: waf-regional-webacl-not-empty 52 | Scope: 53 | ComplianceResourceTypes: 54 | - AWS::WAFRegional::WebACL 55 | Source: 56 | Owner: AWS 57 | SourceIdentifier: WAF_REGIONAL_WEBACL_NOT_EMPTY 58 | Type: AWS::Config::ConfigRule 59 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-Amazon-OpenSearch-Service.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for Amazon OpenSearch Service 5 | # 6 | # This Conformance Pack has been designed for compatibility with the majority of 7 | # AWS regions and to not require setting of any Parameters. Additional managed rules 8 | # that require parameters to be set for your environment and/or for your specific 9 | # region can be found at: 10 | # https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 11 | # 12 | # See Parameters section for names and descriptions of required parameters. 13 | ################################################################################## 14 | 15 | Resources: 16 | OpensearchAccessControlEnabled: 17 | Properties: 18 | ConfigRuleName: opensearch-access-control-enabled 19 | Scope: 20 | ComplianceResourceTypes: 21 | - AWS::OpenSearch::Domain 22 | Source: 23 | Owner: AWS 24 | SourceIdentifier: OPENSEARCH_ACCESS_CONTROL_ENABLED 25 | Type: AWS::Config::ConfigRule 26 | OpensearchAuditLoggingEnabled: 27 | Properties: 28 | ConfigRuleName: opensearch-audit-logging-enabled 29 | Scope: 30 | ComplianceResourceTypes: 31 | - AWS::OpenSearch::Domain 32 | Source: 33 | Owner: AWS 34 | SourceIdentifier: OPENSEARCH_AUDIT_LOGGING_ENABLED 35 | Type: AWS::Config::ConfigRule 36 | OpensearchDataNodeFaultTolerance: 37 | Properties: 38 | ConfigRuleName: opensearch-data-node-fault-tolerance 39 | Scope: 40 | ComplianceResourceTypes: 41 | - AWS::OpenSearch::Domain 42 | Source: 43 | Owner: AWS 44 | SourceIdentifier: OPENSEARCH_DATA_NODE_FAULT_TOLERANCE 45 | Type: AWS::Config::ConfigRule 46 | OpensearchEncryptedAtRest: 47 | Properties: 48 | ConfigRuleName: opensearch-encrypted-at-rest 49 | Scope: 50 | ComplianceResourceTypes: 51 | - AWS::OpenSearch::Domain 52 | Source: 53 | Owner: AWS 54 | SourceIdentifier: OPENSEARCH_ENCRYPTED_AT_REST 55 | Type: AWS::Config::ConfigRule 56 | OpensearchHttpsRequired: 57 | Properties: 58 | ConfigRuleName: opensearch-https-required 59 | Scope: 60 | ComplianceResourceTypes: 61 | - AWS::OpenSearch::Domain 62 | Source: 63 | Owner: AWS 64 | SourceIdentifier: OPENSEARCH_HTTPS_REQUIRED 65 | Type: AWS::Config::ConfigRule 66 | OpensearchInVpcOnly: 67 | Properties: 68 | ConfigRuleName: opensearch-in-vpc-only 69 | Scope: 70 | ComplianceResourceTypes: 71 | - AWS::OpenSearch::Domain 72 | Source: 73 | Owner: AWS 74 | SourceIdentifier: OPENSEARCH_IN_VPC_ONLY 75 | Type: AWS::Config::ConfigRule 76 | OpensearchLogsToCloudwatch: 77 | Properties: 78 | ConfigRuleName: opensearch-logs-to-cloudwatch 79 | Scope: 80 | ComplianceResourceTypes: 81 | - AWS::OpenSearch::Domain 82 | Source: 83 | Owner: AWS 84 | SourceIdentifier: OPENSEARCH_LOGS_TO_CLOUDWATCH 85 | Type: AWS::Config::ConfigRule 86 | OpensearchNodeToNodeEncryptionCheck: 87 | Properties: 88 | ConfigRuleName: opensearch-node-to-node-encryption-check 89 | Scope: 90 | ComplianceResourceTypes: 91 | - AWS::OpenSearch::Domain 92 | Source: 93 | Owner: AWS 94 | SourceIdentifier: OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK 95 | Type: AWS::Config::ConfigRule 96 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-AutoScaling.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for 5 | # 6 | # This conformance pack helps verify compliance with requirements. 7 | # 8 | ################################################################################## 9 | 10 | Resources: 11 | AutoscalingCapacityRebalancing: 12 | Properties: 13 | ConfigRuleName: autoscaling-capacity-rebalancing 14 | Scope: 15 | ComplianceResourceTypes: 16 | - AWS::AutoScaling::AutoScalingGroup 17 | Source: 18 | Owner: AWS 19 | SourceIdentifier: AUTOSCALING_CAPACITY_REBALANCING 20 | Type: AWS::Config::ConfigRule 21 | AutoscalingGroupElbHealthcheckRequired: 22 | Properties: 23 | ConfigRuleName: autoscaling-group-elb-healthcheck-required 24 | Scope: 25 | ComplianceResourceTypes: 26 | - AWS::AutoScaling::AutoScalingGroup 27 | Source: 28 | Owner: AWS 29 | SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED 30 | Type: AWS::Config::ConfigRule 31 | AutoscalingLaunchConfigHopLimit: 32 | Properties: 33 | ConfigRuleName: autoscaling-launch-config-hop-limit 34 | Scope: 35 | ComplianceResourceTypes: 36 | - AWS::AutoScaling::LaunchConfiguration 37 | Source: 38 | Owner: AWS 39 | SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT 40 | Type: AWS::Config::ConfigRule 41 | AutoscalingLaunchConfigPublicIpDisabled: 42 | Properties: 43 | ConfigRuleName: autoscaling-launch-config-public-ip-disabled 44 | Scope: 45 | ComplianceResourceTypes: 46 | - AWS::AutoScaling::LaunchConfiguration 47 | Source: 48 | Owner: AWS 49 | SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED 50 | Type: AWS::Config::ConfigRule 51 | AutoscalingLaunchconfigRequiresImdsv2: 52 | Properties: 53 | ConfigRuleName: autoscaling-launchconfig-requires-imdsv2 54 | Scope: 55 | ComplianceResourceTypes: 56 | - AWS::AutoScaling::LaunchConfiguration 57 | Source: 58 | Owner: AWS 59 | SourceIdentifier: AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2 60 | Type: AWS::Config::ConfigRule 61 | AutoscalingMultipleAz: 62 | Properties: 63 | ConfigRuleName: autoscaling-multiple-az 64 | Scope: 65 | ComplianceResourceTypes: 66 | - AWS::AutoScaling::AutoScalingGroup 67 | Source: 68 | Owner: AWS 69 | SourceIdentifier: AUTOSCALING_MULTIPLE_AZ 70 | Type: AWS::Config::ConfigRule 71 | AutoscalingMultipleInstanceTypes: 72 | Properties: 73 | ConfigRuleName: autoscaling-multiple-instance-types 74 | Scope: 75 | ComplianceResourceTypes: 76 | - AWS::AutoScaling::AutoScalingGroup 77 | Source: 78 | Owner: AWS 79 | SourceIdentifier: AUTOSCALING_MULTIPLE_INSTANCE_TYPES 80 | Type: AWS::Config::ConfigRule 81 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-CloudFront.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for CloudFront 5 | # 6 | ################################################################################## 7 | 8 | Resources: 9 | CloudfrontAccesslogsEnabled: 10 | Properties: 11 | ConfigRuleName: cloudfront-accesslogs-enabled 12 | Scope: 13 | ComplianceResourceTypes: 14 | - AWS::CloudFront::Distribution 15 | Source: 16 | Owner: AWS 17 | SourceIdentifier: CLOUDFRONT_ACCESSLOGS_ENABLED 18 | Type: AWS::Config::ConfigRule 19 | CloudfrontAssociatedWithWaf: 20 | Properties: 21 | ConfigRuleName: cloudfront-associated-with-waf 22 | Scope: 23 | ComplianceResourceTypes: 24 | - AWS::CloudFront::Distribution 25 | Source: 26 | Owner: AWS 27 | SourceIdentifier: CLOUDFRONT_ASSOCIATED_WITH_WAF 28 | Type: AWS::Config::ConfigRule 29 | CloudfrontCustomSslCertificate: 30 | Properties: 31 | ConfigRuleName: cloudfront-custom-ssl-certificate 32 | Scope: 33 | ComplianceResourceTypes: 34 | - AWS::CloudFront::Distribution 35 | Source: 36 | Owner: AWS 37 | SourceIdentifier: CLOUDFRONT_CUSTOM_SSL_CERTIFICATE 38 | Type: AWS::Config::ConfigRule 39 | CloudfrontDefaultRootObjectConfigured: 40 | Properties: 41 | ConfigRuleName: cloudfront-default-root-object-configured 42 | Scope: 43 | ComplianceResourceTypes: 44 | - AWS::CloudFront::Distribution 45 | Source: 46 | Owner: AWS 47 | SourceIdentifier: CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED 48 | Type: AWS::Config::ConfigRule 49 | CloudfrontNoDeprecatedSslProtocols: 50 | Properties: 51 | ConfigRuleName: cloudfront-no-deprecated-ssl-protocols 52 | Scope: 53 | ComplianceResourceTypes: 54 | - AWS::CloudFront::Distribution 55 | Source: 56 | Owner: AWS 57 | SourceIdentifier: CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS 58 | Type: AWS::Config::ConfigRule 59 | CloudfrontOriginAccessIdentityEnabled: 60 | Properties: 61 | ConfigRuleName: cloudfront-origin-access-identity-enabled 62 | Scope: 63 | ComplianceResourceTypes: 64 | - AWS::CloudFront::Distribution 65 | Source: 66 | Owner: AWS 67 | SourceIdentifier: CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED 68 | Type: AWS::Config::ConfigRule 69 | CloudfrontOriginFailoverEnabled: 70 | Properties: 71 | ConfigRuleName: cloudfront-origin-failover-enabled 72 | Scope: 73 | ComplianceResourceTypes: 74 | - AWS::CloudFront::Distribution 75 | Source: 76 | Owner: AWS 77 | SourceIdentifier: CLOUDFRONT_ORIGIN_FAILOVER_ENABLED 78 | Type: AWS::Config::ConfigRule 79 | CloudfrontSniEnabled: 80 | Properties: 81 | ConfigRuleName: cloudfront-sni-enabled 82 | Scope: 83 | ComplianceResourceTypes: 84 | - AWS::CloudFront::Distribution 85 | Source: 86 | Owner: AWS 87 | SourceIdentifier: CLOUDFRONT_SNI_ENABLED 88 | Type: AWS::Config::ConfigRule 89 | CloudfrontTrafficToOriginEncrypted: 90 | Properties: 91 | ConfigRuleName: cloudfront-traffic-to-origin-encrypted 92 | Scope: 93 | ComplianceResourceTypes: 94 | - AWS::CloudFront::Distribution 95 | Source: 96 | Owner: AWS 97 | SourceIdentifier: CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED 98 | Type: AWS::Config::ConfigRule 99 | CloudfrontViewerPolicyHttps: 100 | Properties: 101 | ConfigRuleName: cloudfront-viewer-policy-https 102 | Scope: 103 | ComplianceResourceTypes: 104 | - AWS::CloudFront::Distribution 105 | Source: 106 | Owner: AWS 107 | SourceIdentifier: CLOUDFRONT_VIEWER_POLICY_HTTPS 108 | Type: AWS::Config::ConfigRule 109 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-CloudTrail.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for CloudTrail 5 | # 6 | # This conformance pack helps verify compliance with requirements. 7 | # 8 | ################################################################################## 9 | 10 | Resources: 11 | CloudTrailCloudWatchLogsEnabled: 12 | Properties: 13 | ConfigRuleName: cloud-trail-cloud-watch-logs-enabled 14 | Source: 15 | Owner: AWS 16 | SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED 17 | Type: AWS::Config::ConfigRule 18 | CloudTrailEnabled: 19 | Properties: 20 | ConfigRuleName: cloudtrail-enabled 21 | Source: 22 | Owner: AWS 23 | SourceIdentifier: CLOUD_TRAIL_ENABLED 24 | Type: AWS::Config::ConfigRule 25 | CloudTrailEncryptionEnabled: 26 | Properties: 27 | ConfigRuleName: cloud-trail-encryption-enabled 28 | Source: 29 | Owner: AWS 30 | SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED 31 | Type: AWS::Config::ConfigRule 32 | CloudTrailLogFileValidationEnabled: 33 | Properties: 34 | ConfigRuleName: cloud-trail-log-file-validation-enabled 35 | Source: 36 | Owner: AWS 37 | SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED 38 | Type: AWS::Config::ConfigRule 39 | CloudtrailS3DataeventsEnabled: 40 | Properties: 41 | ConfigRuleName: cloudtrail-s3-dataevents-enabled 42 | Source: 43 | Owner: AWS 44 | SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED 45 | Type: AWS::Config::ConfigRule 46 | CloudtrailSecurityTrailEnabled: 47 | Properties: 48 | ConfigRuleName: cloudtrail-security-trail-enabled 49 | Source: 50 | Owner: AWS 51 | SourceIdentifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED 52 | Type: AWS::Config::ConfigRule 53 | MultiRegionCloudTrailEnabled: 54 | Properties: 55 | ConfigRuleName: multi-region-cloudtrail-enabled 56 | Source: 57 | Owner: AWS 58 | SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED 59 | Type: AWS::Config::ConfigRule 60 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-CodeBuild.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for CodeBuild 5 | # 6 | # This conformance pack helps verify compliance with requirements. 7 | # 8 | ################################################################################## 9 | 10 | Resources: 11 | CodebuildProjectArtifactEncryption: 12 | Properties: 13 | ConfigRuleName: codebuild-project-artifact-encryption 14 | Scope: 15 | ComplianceResourceTypes: 16 | - AWS::CodeBuild::Project 17 | Source: 18 | Owner: AWS 19 | SourceIdentifier: CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION 20 | Type: AWS::Config::ConfigRule 21 | CodebuildProjectEnvironmentPrivilegedCheck: 22 | Properties: 23 | ConfigRuleName: codebuild-project-environment-privileged-check 24 | Scope: 25 | ComplianceResourceTypes: 26 | - AWS::CodeBuild::Project 27 | Source: 28 | Owner: AWS 29 | SourceIdentifier: CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK 30 | Type: AWS::Config::ConfigRule 31 | CodebuildProjectEnvvarAwscredCheck: 32 | Properties: 33 | ConfigRuleName: codebuild-project-envvar-awscred-check 34 | Scope: 35 | ComplianceResourceTypes: 36 | - AWS::CodeBuild::Project 37 | Source: 38 | Owner: AWS 39 | SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK 40 | Type: AWS::Config::ConfigRule 41 | CodebuildProjectLoggingEnabled: 42 | Properties: 43 | ConfigRuleName: codebuild-project-logging-enabled 44 | Scope: 45 | ComplianceResourceTypes: 46 | - AWS::CodeBuild::Project 47 | Source: 48 | Owner: AWS 49 | SourceIdentifier: CODEBUILD_PROJECT_LOGGING_ENABLED 50 | Type: AWS::Config::ConfigRule 51 | CodebuildProjectS3LogsEncrypted: 52 | Properties: 53 | ConfigRuleName: codebuild-project-s3-logs-encrypted 54 | Scope: 55 | ComplianceResourceTypes: 56 | - AWS::CodeBuild::Project 57 | Source: 58 | Owner: AWS 59 | SourceIdentifier: CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED 60 | Type: AWS::Config::ConfigRule 61 | CodebuildProjectSourceRepoUrlCheck: 62 | Properties: 63 | ConfigRuleName: codebuild-project-source-repo-url-check 64 | Scope: 65 | ComplianceResourceTypes: 66 | - AWS::CodeBuild::Project 67 | Source: 68 | Owner: AWS 69 | SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK 70 | Type: AWS::Config::ConfigRule 71 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-ECR.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for Amazon ECR 5 | # 6 | # 7 | # 8 | ################################################################################## 9 | 10 | Resources: 11 | EcrPrivateImageScanningEnabled: 12 | Properties: 13 | ConfigRuleName: ecr-private-image-scanning-enabled 14 | Scope: 15 | ComplianceResourceTypes: 16 | - AWS::ECR::Repository 17 | Source: 18 | Owner: AWS 19 | SourceIdentifier: ECR_PRIVATE_IMAGE_SCANNING_ENABLED 20 | Type: AWS::Config::ConfigRule 21 | EcrPrivateLifecyclePolicyConfigured: 22 | Properties: 23 | ConfigRuleName: ecr-private-lifecycle-policy-configured 24 | Scope: 25 | ComplianceResourceTypes: 26 | - AWS::ECR::Repository 27 | Source: 28 | Owner: AWS 29 | SourceIdentifier: ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED 30 | Type: AWS::Config::ConfigRule 31 | EcrPrivateTagImmutabilityEnabled: 32 | Properties: 33 | ConfigRuleName: ecr-private-tag-immutability-enabled 34 | Scope: 35 | ComplianceResourceTypes: 36 | - AWS::ECR::Repository 37 | Source: 38 | Owner: AWS 39 | SourceIdentifier: ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED 40 | Type: AWS::Config::ConfigRule 41 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-EFS.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for EFS 5 | # 6 | # 7 | ################################################################################## 8 | 9 | Resources: 10 | EfsAccessPointEnforceRootDirectory: 11 | Properties: 12 | ConfigRuleName: efs-access-point-enforce-root-directory 13 | Scope: 14 | ComplianceResourceTypes: 15 | - AWS::EFS::AccessPoint 16 | Source: 17 | Owner: AWS 18 | SourceIdentifier: EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY 19 | Type: AWS::Config::ConfigRule 20 | EfsAccessPointEnforceUserIdentity: 21 | Properties: 22 | ConfigRuleName: efs-access-point-enforce-user-identity 23 | Scope: 24 | ComplianceResourceTypes: 25 | - AWS::EFS::AccessPoint 26 | Source: 27 | Owner: AWS 28 | SourceIdentifier: EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY 29 | Type: AWS::Config::ConfigRule 30 | EfsEncryptedCheck: 31 | Properties: 32 | ConfigRuleName: efs-encrypted-check 33 | Source: 34 | Owner: AWS 35 | SourceIdentifier: EFS_ENCRYPTED_CHECK 36 | Type: AWS::Config::ConfigRule 37 | EfsInBackupPlan: 38 | Properties: 39 | ConfigRuleName: efs-in-backup-plan 40 | Source: 41 | Owner: AWS 42 | SourceIdentifier: EFS_IN_BACKUP_PLAN 43 | Type: AWS::Config::ConfigRule 44 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-EKS.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for EKS 5 | # 6 | # 7 | # See Parameters section for names and descriptions of required parameters. 8 | # 9 | ################################################################################## 10 | 11 | Parameters: 12 | EksClusterOldestSupportedVersionParamOldestVersionSupported: 13 | Default: '1.2' 14 | Type: String 15 | EksClusterSupportedVersionParamOldestVersionSupported: 16 | Default: '1.2' 17 | Type: String 18 | Resources: 19 | EksClusterOldestSupportedVersion: 20 | Properties: 21 | ConfigRuleName: eks-cluster-oldest-supported-version 22 | InputParameters: 23 | oldestVersionSupported: 24 | Fn::If: 25 | - eksClusterOldestSupportedVersionParamOldestVersionSupported 26 | - Ref: EksClusterOldestSupportedVersionParamOldestVersionSupported 27 | - Ref: AWS::NoValue 28 | Scope: 29 | ComplianceResourceTypes: 30 | - AWS::EKS::Cluster 31 | Source: 32 | Owner: AWS 33 | SourceIdentifier: EKS_CLUSTER_OLDEST_SUPPORTED_VERSION 34 | Type: AWS::Config::ConfigRule 35 | EksClusterSupportedVersion: 36 | Properties: 37 | ConfigRuleName: eks-cluster-supported-version 38 | InputParameters: 39 | oldestVersionSupported: 40 | Fn::If: 41 | - eksClusterSupportedVersionParamOldestVersionSupported 42 | - Ref: EksClusterSupportedVersionParamOldestVersionSupported 43 | - Ref: AWS::NoValue 44 | Scope: 45 | ComplianceResourceTypes: 46 | - AWS::EKS::Cluster 47 | Source: 48 | Owner: AWS 49 | SourceIdentifier: EKS_CLUSTER_SUPPORTED_VERSION 50 | Type: AWS::Config::ConfigRule 51 | EksEndpointNoPublicAccess: 52 | Properties: 53 | ConfigRuleName: eks-endpoint-no-public-access 54 | Source: 55 | Owner: AWS 56 | SourceIdentifier: EKS_ENDPOINT_NO_PUBLIC_ACCESS 57 | Type: AWS::Config::ConfigRule 58 | EksSecretsEncrypted: 59 | Properties: 60 | ConfigRuleName: eks-secrets-encrypted 61 | Source: 62 | Owner: AWS 63 | SourceIdentifier: EKS_SECRETS_ENCRYPTED 64 | Type: AWS::Config::ConfigRule 65 | Conditions: 66 | eksClusterOldestSupportedVersionParamOldestVersionSupported: 67 | Fn::Not: 68 | - Fn::Equals: 69 | - '' 70 | - Ref: EksClusterOldestSupportedVersionParamOldestVersionSupported 71 | eksClusterSupportedVersionParamOldestVersionSupported: 72 | Fn::Not: 73 | - Fn::Equals: 74 | - '' 75 | - Ref: EksClusterSupportedVersionParamOldestVersionSupported 76 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-Lambda.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for AWS Lambda 5 | # 6 | # 7 | # See Parameters section for names and descriptions of required parameters. 8 | # 9 | ################################################################################## 10 | 11 | Parameters: 12 | LambdaFunctionSettingsCheckParamRuntime: 13 | Default: nodejs16.x, nodejs14.x, nodejs12.x, python3.9, python3.8, python3.7, 14 | python3.6, ruby2.7, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnet6 15 | Type: String 16 | Resources: 17 | LambdaDlqCheck: 18 | Properties: 19 | ConfigRuleName: lambda-dlq-check 20 | Scope: 21 | ComplianceResourceTypes: 22 | - AWS::Lambda::Function 23 | Source: 24 | Owner: AWS 25 | SourceIdentifier: LAMBDA_DLQ_CHECK 26 | Type: AWS::Config::ConfigRule 27 | LambdaFunctionSettingsCheck: 28 | Properties: 29 | ConfigRuleName: lambda-function-settings-check 30 | InputParameters: 31 | runtime: 32 | Fn::If: 33 | - lambdaFunctionSettingsCheckParamRuntime 34 | - Ref: LambdaFunctionSettingsCheckParamRuntime 35 | - Ref: AWS::NoValue 36 | Scope: 37 | ComplianceResourceTypes: 38 | - AWS::Lambda::Function 39 | Source: 40 | Owner: AWS 41 | SourceIdentifier: LAMBDA_FUNCTION_SETTINGS_CHECK 42 | Type: AWS::Config::ConfigRule 43 | LambdaInsideVpc: 44 | Properties: 45 | ConfigRuleName: lambda-inside-vpc 46 | Scope: 47 | ComplianceResourceTypes: 48 | - AWS::Lambda::Function 49 | Source: 50 | Owner: AWS 51 | SourceIdentifier: LAMBDA_INSIDE_VPC 52 | Type: AWS::Config::ConfigRule 53 | LambdaVpcMultiAzCheck: 54 | Properties: 55 | ConfigRuleName: lambda-vpc-multi-az-check 56 | Scope: 57 | ComplianceResourceTypes: 58 | - AWS::Lambda::Function 59 | Source: 60 | Owner: AWS 61 | SourceIdentifier: LAMBDA_VPC_MULTI_AZ_CHECK 62 | Type: AWS::Config::ConfigRule 63 | Conditions: 64 | lambdaFunctionSettingsCheckParamRuntime: 65 | Fn::Not: 66 | - Fn::Equals: 67 | - '' 68 | - Ref: LambdaFunctionSettingsCheckParamRuntime 69 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for Network Firewall 5 | # 6 | # 7 | ################################################################################## 8 | 9 | Parameters: 10 | NetfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions: 11 | Default: aws:drop,aws:forward_to_sfe 12 | Type: String 13 | NetfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions: 14 | Default: aws:drop,aws:forward_to_sfe 15 | Type: String 16 | Resources: 17 | NetfwPolicyDefaultActionFragmentPackets: 18 | Properties: 19 | ConfigRuleName: netfw-policy-default-action-fragment-packets 20 | InputParameters: 21 | statelessFragmentDefaultActions: 22 | Fn::If: 23 | - netfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions 24 | - Ref: NetfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions 25 | - Ref: AWS::NoValue 26 | Scope: 27 | ComplianceResourceTypes: 28 | - AWS::NetworkFirewall::FirewallPolicy 29 | Source: 30 | Owner: AWS 31 | SourceIdentifier: NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS 32 | Type: AWS::Config::ConfigRule 33 | NetfwPolicyDefaultActionFullPackets: 34 | Properties: 35 | ConfigRuleName: netfw-policy-default-action-full-packets 36 | InputParameters: 37 | statelessDefaultActions: 38 | Fn::If: 39 | - netfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions 40 | - Ref: NetfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions 41 | - Ref: AWS::NoValue 42 | Scope: 43 | ComplianceResourceTypes: 44 | - AWS::NetworkFirewall::FirewallPolicy 45 | Source: 46 | Owner: AWS 47 | SourceIdentifier: NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS 48 | Type: AWS::Config::ConfigRule 49 | NetfwPolicyRuleGroupAssociated: 50 | Properties: 51 | ConfigRuleName: netfw-policy-rule-group-associated 52 | Scope: 53 | ComplianceResourceTypes: 54 | - AWS::NetworkFirewall::FirewallPolicy 55 | Source: 56 | Owner: AWS 57 | SourceIdentifier: NETFW_POLICY_RULE_GROUP_ASSOCIATED 58 | Type: AWS::Config::ConfigRule 59 | NetfwStatelessRuleGroupNotEmpty: 60 | Properties: 61 | ConfigRuleName: netfw-stateless-rule-group-not-empty 62 | Scope: 63 | ComplianceResourceTypes: 64 | - AWS::NetworkFirewall::RuleGroup 65 | Source: 66 | Owner: AWS 67 | SourceIdentifier: NETFW_STATELESS_RULE_GROUP_NOT_EMPTY 68 | Type: AWS::Config::ConfigRule 69 | Conditions: 70 | netfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions: 71 | Fn::Not: 72 | - Fn::Equals: 73 | - '' 74 | - Ref: NetfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions 75 | netfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions: 76 | Fn::Not: 77 | - Fn::Equals: 78 | - '' 79 | - Ref: NetfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions 80 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-SageMaker.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Security Best Practices for Amazon SageMaker 5 | # 6 | # This conformance pack helps verify compliance with requirements. 7 | # 8 | ################################################################################## 9 | 10 | Resources: 11 | SagemakerEndpointConfigurationKmsKeyConfigured: 12 | Properties: 13 | ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured 14 | Source: 15 | Owner: AWS 16 | SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED 17 | Type: AWS::Config::ConfigRule 18 | SagemakerNotebookInstanceKmsKeyConfigured: 19 | Properties: 20 | ConfigRuleName: sagemaker-notebook-instance-kms-key-configured 21 | Source: 22 | Owner: AWS 23 | SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED 24 | Type: AWS::Config::ConfigRule 25 | SagemakerNotebookNoDirectInternetAccess: 26 | Properties: 27 | ConfigRuleName: sagemaker-notebook-no-direct-internet-access 28 | Source: 29 | Owner: AWS 30 | SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS 31 | Type: AWS::Config::ConfigRule 32 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/Security-Best-Practices-for-Secrets-Manager.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # 3 | # Conformance Pack: 4 | # Operational Best Practices for Secrets Manager 5 | # 6 | ################################################################################## 7 | 8 | Parameters: 9 | SecretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation: 10 | Default: '90' 11 | Type: String 12 | AllowedPattern: '^[0-9]*$' 13 | ConstraintDescription: Must contain only numbers. 14 | SecretsmanagerSecretUnusedParamUnusedForDays: 15 | Default: '90' 16 | Type: String 17 | AllowedPattern: '^[0-9]*$' 18 | ConstraintDescription: Must contain only numbers. 19 | Resources: 20 | SecretsmanagerRotationEnabledCheck: 21 | Properties: 22 | ConfigRuleName: secretsmanager-rotation-enabled-check 23 | Scope: 24 | ComplianceResourceTypes: 25 | - AWS::SecretsManager::Secret 26 | Source: 27 | Owner: AWS 28 | SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK 29 | Type: AWS::Config::ConfigRule 30 | SecretsmanagerScheduledRotationSuccessCheck: 31 | Properties: 32 | ConfigRuleName: secretsmanager-scheduled-rotation-success-check 33 | Scope: 34 | ComplianceResourceTypes: 35 | - AWS::SecretsManager::Secret 36 | Source: 37 | Owner: AWS 38 | SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK 39 | Type: AWS::Config::ConfigRule 40 | SecretsmanagerSecretPeriodicRotation: 41 | Properties: 42 | ConfigRuleName: secretsmanager-secret-periodic-rotation 43 | InputParameters: 44 | maxDaysSinceRotation: 45 | Fn::If: 46 | - secretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation 47 | - Ref: SecretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation 48 | - Ref: AWS::NoValue 49 | Source: 50 | Owner: AWS 51 | SourceIdentifier: SECRETSMANAGER_SECRET_PERIODIC_ROTATION 52 | Type: AWS::Config::ConfigRule 53 | SecretsmanagerSecretUnused: 54 | Properties: 55 | ConfigRuleName: secretsmanager-secret-unused 56 | InputParameters: 57 | unusedForDays: 58 | Fn::If: 59 | - secretsmanagerSecretUnusedParamUnusedForDays 60 | - Ref: SecretsmanagerSecretUnusedParamUnusedForDays 61 | - Ref: AWS::NoValue 62 | Source: 63 | Owner: AWS 64 | SourceIdentifier: SECRETSMANAGER_SECRET_UNUSED 65 | Type: AWS::Config::ConfigRule 66 | SecretsmanagerUsingCmk: 67 | Properties: 68 | ConfigRuleName: secretsmanager-using-cmk 69 | Scope: 70 | ComplianceResourceTypes: 71 | - AWS::SecretsManager::Secret 72 | Source: 73 | Owner: AWS 74 | SourceIdentifier: SECRETSMANAGER_USING_CMK 75 | Type: AWS::Config::ConfigRule 76 | Conditions: 77 | secretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation: 78 | Fn::Not: 79 | - Fn::Equals: 80 | - '' 81 | - Ref: SecretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation 82 | secretsmanagerSecretUnusedParamUnusedForDays: 83 | Fn::Not: 84 | - Fn::Equals: 85 | - '' 86 | - Ref: SecretsmanagerSecretUnusedParamUnusedForDays 87 | -------------------------------------------------------------------------------- /aws-config-conformance-packs/custom-conformance-pack.yaml: -------------------------------------------------------------------------------- 1 | Parameters: 2 | CustomConfigRuleLambdaArn: 3 | Description: The ARN of the custom config rule lambda. 4 | Type: String 5 | Resources: 6 | CustomRuleForEC2: 7 | Type: AWS::Config::ConfigRule 8 | Properties: 9 | ConfigRuleName: "CustomRuleForEC2" 10 | Scope: 11 | ComplianceResourceTypes: 12 | - "AWS::EC2::Volume" 13 | Source: 14 | Owner: "CUSTOM_LAMBDA" 15 | SourceDetails: 16 | - 17 | EventSource: "aws.config" 18 | MessageType: "ConfigurationItemChangeNotification" 19 | - 20 | EventSource: "aws.config" 21 | MessageType: "OversizedConfigurationItemChangeNotification" 22 | SourceIdentifier: 23 | Ref: CustomConfigRuleLambdaArn 24 | ConfigRuleForVolumeTags: 25 | Type: AWS::Config::ConfigRule 26 | Description: "Test CREATE" 27 | Properties: 28 | ConfigRuleName: "ConfigRuleForVolumeTags" 29 | InputParameters: 30 | tag1Key: CostCenter 31 | Scope: 32 | ComplianceResourceTypes: 33 | - "AWS::EC2::Volume" 34 | Source: 35 | Owner: AWS 36 | SourceIdentifier: "REQUIRED_TAGS" 37 | CloudTrailEnabled: 38 | Type: AWS::Config::ConfigRule 39 | Description: "CloudTrail rule" 40 | Properties: 41 | ConfigRuleName: "CloudTrailEnabled" 42 | InputParameters: 43 | s3BucketName: testBucketName 44 | Source: 45 | Owner: AWS 46 | SourceIdentifier: "CLOUD_TRAIL_ENABLED" 47 | -------------------------------------------------------------------------------- /java/HOWTO.md: -------------------------------------------------------------------------------- 1 | # Creating an AWS Config Rule with Java 2 | 3 | You can use any of the sample Java files in this repository to create a custom Config rule. To 4 | create a Config rule, first you build a JAR file that contains the Java classes. Then, you create an AWS Lambda 5 | function that uses one of the classes in the JAR. Finally, you create a Config rule that uses the function. 6 | 7 | To build the JAR file, you will run a single Apache Maven command. Maven will download the package's 8 | dependencies, build the package, and test it. To download and install Maven, go to 9 | . 10 | 11 | ## Building the JAR File 12 | 13 | Run the following Maven command from within the ''java'' directory: 14 | 15 | `mvn package` 16 | 17 | Maven builds a JAR file and places it in the following path: 18 | 19 | 'target/aws-config-java-sample-rules-1.0-SNAPSHOT.jar' 20 | 21 | ## Creating an AWS Lambda Function and AWS Config Rule 22 | 23 | For steps to create create a Lambda function and corresponding Config rule, see the [README 24 | file](../README.md) for the AWS Config Rules repository. 25 | 26 | When you use AWS Lambda to create the function, select Java 8 as the runtime. You will need to 27 | specify the function handler, and you might need to add supplementary permissions to the function's 28 | execution role. This information is documented in the [list of Java Config rules 29 | (RULES.md)](RULES_JAVA.md). -------------------------------------------------------------------------------- /java/RULES_JAVA.md: -------------------------------------------------------------------------------- 1 | # AWS Config Rules (Java) 2 | This file provides supplementary information for the sample AWS Config Rules in Java. 3 | 4 | * **Handler** - The handler value that you provide to AWS Lambda when you create a function. 5 | * **Supplementary Permissions** - Permissions that you must grant the function's execution role in addition to those that are granted by the AWS Config role. 6 | * **Trigger Type** - The trigger type that you assign to the Config rule that uses the function. 7 | * **Required Parameters** - Parameters that are evaluated by the function. You must specify these parameter keys when you create the AWS Config rule. 8 | 9 | For the steps to create a Config rule with a Java sample, see the [HOWTO.md](./HOWTO.md) file. 10 | 11 | ## 1. Ensure MFA Enabled on Root Account 12 | Description: Checks whether an AWS account is enabled for multi-factor authentication. 13 | 14 | \src\main\java\com\amazonaws\services\config\samplerules\RootAccountMFAEnabled.java 15 | 16 | * Handler: ```com.amazonaws.services.config.samplerules.RootAccountMFAEnabled::handle``` 17 | * Supplementary Permissions: ```iam:GetAccountSummary``` 18 | * Trigger Type: ```Periodic``` 19 | * Required Parameters: ```None``` 20 | -------------------------------------------------------------------------------- /java/pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | 5 | com.amazonaws 6 | aws-config-java-sample-rules 7 | jar 8 | 1.0-SNAPSHOT 9 | AWS Config Sample Rule Library 10 | 11 | 12 | 13 | com.amazonaws 14 | aws-lambda-java-core 15 | 1.1.0 16 | 17 | 18 | com.amazonaws 19 | aws-lambda-java-events 20 | 1.2.0 21 | 22 | 23 | com.amazonaws 24 | aws-java-sdk-config 25 | [1.10.5,) 26 | 27 | 28 | com.amazonaws 29 | aws-java-sdk-iam 30 | [1.10.5,) 31 | 32 | 33 | com.fasterxml.jackson.core 34 | jackson-core 35 | 2.7.0 36 | 37 | 38 | junit 39 | junit 40 | 4.13.1 41 | test 42 | 43 | 44 | org.mockito 45 | mockito-core 46 | 1.9.5 47 | test 48 | 49 | 50 | org.apache.commons 51 | commons-lang3 52 | 3.0 53 | 54 | 55 | com.google.guava 56 | guava 57 | [24.1.1,) 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | org.apache.maven.plugins 66 | maven-compiler-plugin 67 | 68 | 1.8 69 | 1.8 70 | 71 | 72 | 73 | org.apache.maven.plugins 74 | maven-shade-plugin 75 | 2.3 76 | 77 | false 78 | 79 | 80 | 81 | package 82 | 83 | shade 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /java/src/main/java/com/amazonaws/services/config/samplerules/exception/FunctionExecutionException.java: -------------------------------------------------------------------------------- 1 | package com.amazonaws.services.config.samplerules.exception; 2 | 3 | public class FunctionExecutionException extends RuntimeException { 4 | 5 | private static final long serialVersionUID = 1L; 6 | 7 | public FunctionExecutionException(String message) { 8 | super(message); 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /node/iam_access_key_rotation-triggered.js: -------------------------------------------------------------------------------- 1 | // 2 | // This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | // 4 | // Ensure IAM User Access Key Rotation 5 | // Description: Checks that the IAM User's Access Keys have been rotated within the specified number of days. 6 | // 7 | // Trigger Type: Change Triggered 8 | // Scope of Changes: IAM:User 9 | // Required Parameter: MaximumAccessKeyAge 10 | // Example Value: 90 11 | 12 | var aws = require('aws-sdk'); 13 | var config = new aws.ConfigService(); 14 | var iam = new aws.IAM(); 15 | 16 | // Helper function used to validate input 17 | function checkDefined(reference, referenceName) { 18 | 19 | if (!reference) { 20 | 21 | console.log("Error: " + referenceName + " is not defined"); 22 | throw referenceName; 23 | 24 | } 25 | 26 | return reference; 27 | 28 | } 29 | 30 | // Check whether the the resource has been deleted. If it has, then the evaluation is unnecessary. 31 | function isApplicable(configurationItem, event) { 32 | 33 | checkDefined(configurationItem, "configurationItem"); 34 | checkDefined(event, "event"); 35 | 36 | var status = configurationItem.configurationItemStatus; 37 | var eventLeftScope = event.eventLeftScope; 38 | 39 | return ('OK' === status || 'ResourceDiscovered' === status) && false === eventLeftScope; 40 | 41 | } 42 | 43 | // This is the handler that's invoked by Lambda 44 | exports.handler = function(event, context) { 45 | 46 | event = checkDefined(event, "event"); 47 | var invokingEvent = JSON.parse(event.invokingEvent); 48 | var ruleParameters = JSON.parse(event.ruleParameters); 49 | var configurationItem = checkDefined(invokingEvent.configurationItem, "invokingEvent.configurationItem"); 50 | var compliance = 'NOT_APPLICABLE'; 51 | var putEvaluationsRequest = {}; 52 | 53 | // Only run check on IAM Users 54 | if (configurationItem.resourceType === 'AWS::IAM::User') { 55 | 56 | // List all Access Keys for user 57 | iam.listAccessKeys({ UserName: configurationItem.resourceName }, function(keyerr, keydata) { 58 | 59 | var ret = 'NOT_APPLICABLE'; 60 | 61 | if (!keyerr) { 62 | 63 | // Only check dates on users with keys 64 | if (keydata.AccessKeyMetadata.length > 0) { 65 | 66 | // Check all keys 67 | for (var k = 0; k < keydata.AccessKeyMetadata.length; k++) { 68 | 69 | var now = Date.now(); 70 | 71 | if (Math.floor((now - Date.parse(keydata.AccessKeyMetadata[k].CreateDate)) / 86400000) > ruleParameters.MaximumAccessKeyAge) { 72 | 73 | ret = 'NON_COMPLIANT'; 74 | 75 | } else { 76 | 77 | ret = 'COMPLIANT'; 78 | 79 | } 80 | 81 | } 82 | } 83 | 84 | } else { 85 | 86 | console.log(keyerr); 87 | 88 | } 89 | 90 | putEvaluationsRequest.Evaluations = [{ 91 | ComplianceResourceType: configurationItem.resourceType, 92 | ComplianceResourceId: configurationItem.resourceId, 93 | ComplianceType: ret, 94 | OrderingTimestamp: configurationItem.configurationItemCaptureTime 95 | }]; 96 | 97 | putEvaluationsRequest.ResultToken = event.resultToken; 98 | 99 | // Invoke the Config API to report the result of the evaluation 100 | config.putEvaluations(putEvaluationsRequest, function (err, data) { 101 | if (err) { 102 | context.fail(err); 103 | } else { 104 | context.succeed(data); 105 | } 106 | }); 107 | 108 | }); 109 | 110 | } else { 111 | 112 | // NOT APPLICABLE 113 | putEvaluationsRequest.Evaluations = [ { ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: configurationItem.configurationItemCaptureTime } ]; 114 | putEvaluationsRequest.ResultToken = event.resultToken; 115 | config.putEvaluations(putEvaluationsRequest, function (err, data) { if (err) { context.fail(err); } else { context.succeed(data); } }); 116 | 117 | } 118 | 119 | }; 120 | -------------------------------------------------------------------------------- /node/iam_mfa_require-triggered.js: -------------------------------------------------------------------------------- 1 | // 2 | // This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | // 4 | // Ensure IAM User has MFA Enabled 5 | // Description: Checks that all IAM Users have MFA Enabled 6 | // 7 | // Trigger Type: Change Triggered 8 | // Scope of Changes: IAM:User 9 | // Required Parameter: None 10 | 11 | var aws = require('aws-sdk'); 12 | var config = new aws.ConfigService(); 13 | var iam = new aws.IAM(); 14 | 15 | // Helper function used to validate input 16 | function checkDefined(reference, referenceName) { 17 | if (!reference) { 18 | console.log("Error: " + referenceName + " is not defined"); 19 | throw referenceName; 20 | } 21 | return reference; 22 | } 23 | 24 | // Check whether the the resource has been deleted. If it has, then the evaluation is unnecessary. 25 | 26 | function isApplicable(configurationItem, event){ 27 | checkDefined(configurationItem, "configurationItem"); 28 | checkDefined(event, "event"); 29 | var status = configurationItem.configurationItemStatus; 30 | var eventLeftScope = event.eventLeftScope; 31 | return ('OK' === status || 'ResourceDiscovered' === status) && false === eventLeftScope; 32 | } 33 | 34 | // This is the handler that's invoked by Lambda 35 | 36 | exports.handler = function(event, context) { 37 | event = checkDefined(event, "event"); 38 | var invokingEvent = JSON.parse(event.invokingEvent); 39 | var ruleParameters = JSON.parse(event.ruleParameters); 40 | var configurationItem = checkDefined(invokingEvent.configurationItem, "invokingEvent.configurationItem"); 41 | var putEvaluationsRequest = {}; 42 | 43 | // Only call out Async if a User 44 | if (configurationItem.resourceType === 'AWS::IAM::User') { 45 | 46 | iam.listMFADevices({ UserName: configurationItem.resourceName }, function(mfaerr, mfadata) { 47 | 48 | var ret = 'NON_COMPLIANT'; 49 | 50 | if (!mfaerr) { 51 | 52 | if (mfadata.MFADevices.length > 0) { 53 | 54 | ret = 'COMPLIANT'; 55 | 56 | } 57 | 58 | } else { 59 | 60 | console.log(mfaerr); 61 | 62 | } 63 | 64 | putEvaluationsRequest.Evaluations = [{ 65 | ComplianceResourceType: configurationItem.resourceType, 66 | ComplianceResourceId: configurationItem.resourceId, 67 | ComplianceType: ret, 68 | OrderingTimestamp: configurationItem.configurationItemCaptureTime 69 | }]; 70 | 71 | putEvaluationsRequest.ResultToken = event.resultToken; 72 | 73 | // Invoke the Config API to report the result of the evaluation 74 | config.putEvaluations(putEvaluationsRequest, function (err, data) { 75 | if (err) { 76 | context.fail(err); 77 | } else { 78 | context.succeed(data); 79 | } 80 | }); 81 | 82 | }); 83 | 84 | } else { 85 | 86 | // Put together the request that reports the evaluation status 87 | // Note that we're choosing to report this evaluation against the resource that was passed in. 88 | // You can choose to report this against any other resource type, as long as it is supported by Config rules 89 | putEvaluationsRequest.Evaluations = [ { ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: 'NOT_APPLICABLE', OrderingTimestamp: configurationItem.configurationItemCaptureTime } ]; 90 | putEvaluationsRequest.ResultToken = event.resultToken; 91 | 92 | // Invoke the Config API to report the result of the evaluation 93 | config.putEvaluations(putEvaluationsRequest, function (err, data) { if (err) { context.fail(err); } else { context.succeed(data); } }); 94 | 95 | } 96 | 97 | }; 98 | -------------------------------------------------------------------------------- /node/instance_desired_tenancy-triggered.js: -------------------------------------------------------------------------------- 1 | // 2 | // This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | // 4 | // Ensure EC2 Instances have desired tenancy 5 | // Description: Checks that EC2 Instances have desired tenancy 6 | // 7 | // Trigger Type: Change Triggered 8 | // Scope of Changes: EC2:Instance 9 | // Required Parameter: DesiredTenancy 10 | // Example Value: dedicated 11 | 12 | var aws = require('aws-sdk'); 13 | var config = new aws.ConfigService(); 14 | // This is where it's determined whether the resource is compliant or not. 15 | // In this example, we look at the tenancy of the EC2 instance and determine whether it matches 16 | // the "DesiredTenancy" parameter that is passed to the rule. If the tenancy is not of the DesiredTenancy type, the 17 | // instance is marked non-compliant. Otherwise, it is marked complaint. 18 | 19 | function evaluateCompliance(configurationItem, ruleParameters, context) { 20 | checkDefined(configurationItem, "configurationItem"); 21 | checkDefined(configurationItem.configuration, "configurationItem.configuration"); 22 | checkDefined(ruleParameters, "ruleParameters"); 23 | if ('AWS::EC2::Instance' !== configurationItem.resourceType) { 24 | return 'NOT_APPLICABLE'; 25 | } if (ruleParameters.DesiredTenancy === configurationItem.configuration.placement.tenancy) { 26 | return 'COMPLIANT'; 27 | } else { 28 | return 'NON_COMPLIANT'; 29 | } 30 | } 31 | // Helper function used to validate input 32 | function checkDefined(reference, referenceName) { 33 | if (!reference) { 34 | console.log("Error: " + referenceName + " is not defined"); 35 | throw referenceName; 36 | } 37 | return reference; 38 | } 39 | // Check whether the the resource has been deleted. If it has, then the evaluation is unnecessary. 40 | function isApplicable(configurationItem, event) { 41 | checkDefined(configurationItem, "configurationItem"); 42 | checkDefined(event, "event"); 43 | var status = configurationItem.configurationItemStatus; 44 | var eventLeftScope = event.eventLeftScope; 45 | return ('OK' === status || 'ResourceDiscovered' === status) && false === eventLeftScope; 46 | } 47 | // This is the handler that's invoked by Lambda 48 | // Most of this code is boilerplate; use as is 49 | exports.handler = function(event, context) { 50 | event = checkDefined(event, "event"); 51 | var invokingEvent = JSON.parse(event.invokingEvent); 52 | var ruleParameters = JSON.parse(event.ruleParameters); 53 | var configurationItem = checkDefined(invokingEvent.configurationItem, "invokingEvent.configurationItem"); 54 | var compliance = 'NOT_APPLICABLE'; 55 | var putEvaluationsRequest = {}; 56 | if (isApplicable(invokingEvent.configurationItem, event)) { 57 | // Invoke the compliance checking function. 58 | compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context); 59 | } 60 | // Put together the request that reports the evaluation status 61 | // Note that we're choosing to report this evaluation against the resource that was passed in. 62 | // You can choose to report this against any other resource type, as long as it is supported by Config rules 63 | 64 | putEvaluationsRequest.Evaluations = [ 65 | { 66 | ComplianceResourceType: configurationItem.resourceType, 67 | ComplianceResourceId: configurationItem.resourceId, 68 | ComplianceType: compliance, 69 | OrderingTimestamp: configurationItem.configurationItemCaptureTime 70 | } 71 | ]; 72 | putEvaluationsRequest.ResultToken = event.resultToken; 73 | // Invoke the Config API to report the result of the evaluation 74 | config.putEvaluations(putEvaluationsRequest, function (err, data) { 75 | if (err) { 76 | context.fail(err); 77 | } else { 78 | context.succeed(data); 79 | } 80 | }); 81 | }; 82 | -------------------------------------------------------------------------------- /python-rdklib/AMI_DEPRECATED_CHECK/README.md: -------------------------------------------------------------------------------- 1 | # EC2 Deprecated AMI Config Rule 2 | 3 | This repo provides a Lambda function for scanning your AWS accounts for deprecated, deleted, and unshared AMIs. 4 | 5 | AWS added a new feature to EC2 which allows you to define a deprecationTime to AMIs. After this time is reached, existing instances and launch templates can be used but new ones cannot be created with the deprecated AMIs. 6 | 7 | This config rule exists to detect any running instances that are using deprecated AMIs and autoscaling groups that are using a launch template with a deprecated AMI. This will also detect AMIs that are not available either due to AMI deregistry or unsharing. 8 | 9 | ![](./ec2_rule_report.png) 10 | 11 | ## How to use 12 | 13 | To deploy this Lambda, you should follow the [blog post here](https://aws.amazon.com/blogs/mt/aws-config-rule-development-kit-library-build-and-operate-rules-at-scale/) to install the rdklib AWS Lambda layer. 14 | 15 | Please note that older versions of the rdklib layer may not have the correct version of dependencies. Ensure you are using the latest version of it. 16 | 17 | Once this is done, you can deploy by running: 18 | 19 | ```sh 20 | rdk init # if you have not already 21 | rdk deploy AMI_DEPRECATED_CHECK --rdklib-layer-arn YOUR_RDKLIB_LAYER_ARN 22 | ``` 23 | 24 | ## Future Additions 25 | This module can be enhanced in the future to detect other various uses of AMIs beyond EC2. 26 | -------------------------------------------------------------------------------- /python-rdklib/AMI_DEPRECATED_CHECK/ec2_rule_report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rules/484c17b7e966e1e914032014008b9cb46aeffe4e/python-rdklib/AMI_DEPRECATED_CHECK/ec2_rule_report.png -------------------------------------------------------------------------------- /python-rdklib/AMI_DEPRECATED_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "AMI_DEPRECATED_CHECK", 5 | "Description": "AMI_DEPRECATED_CHECK", 6 | "SourceRuntime": "python3.8-lib", 7 | "CodeKey": "AMI_DEPRECATED_CHECK.zip", 8 | "InputParameters": "{}", 9 | "OptionalParameters": "{}", 10 | "SourcePeriodic": "TwentyFour_Hours" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python-rdklib/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH/README.md: -------------------------------------------------------------------------------- 1 | # EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH 2 | 3 | - [EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH](#ec2_instance_ebs_volume_tags_match) 4 | - [Description](#description) 5 | - [Config Rule Info](#config-rule-info) 6 | - [Config Rule Versions (RDKlib)](#config-rule-versions-rdklib) 7 | - [SSM Automation Document](#ssm-automation-document) 8 | 9 | ## Description 10 | 11 | This solution provides 2 different versions of the same custom AWS Config Rule that was developed using 12 | [RDKlib](https://github.com/awslabs/aws-config-rdklib), and an AWS Systems Manager (SSM) Automation document to remediate the given AWS Config rules. 13 | 14 | ## Config Rule Info 15 | 16 | **Description:** Checks whether the Amazon Elastic Block Store (EBS) volume includes the Tags from the Amazon Elastic Compute Cloud (Amazon EC2) 17 | instance, it's attached to. 18 | 19 | - The rule is `NON_COMPLIANT` if the EBS volume attached to an EC2 instance and missing instance tags. 20 | - The rule is `COMPLIANT` if the EBS volume attached to an EC2 instance and missing instance tags. 21 | 22 | **Rationale:** Ensures that Amazon Elastic Block Store (EBS) volumes are always tagged properly, as the instance it is attached to. 23 | 24 | ## Config Rule Versions (RDKlib) 25 | 26 | 1. The [ec2-version](config_rule/ec2_version/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH) Config rule uses the 27 | [DescribeTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTags.html) API to identify the tags on the resource. 28 | 2. The [config-version](config_rule/config-version/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH) Config rule uses the 29 | [SelectResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_SelectResourceConfig.html) API to perform a SQL query to AWS 30 | Config to identify the tags on the resource. 31 | 32 | ## SSM Automation Document 33 | 34 | This [EC2-Tag-Volumes](ssm_automation/ec2_tag_volumes_ssm_document_executeScript.yaml) document tags Amazon EBS volumes to ensure it includes the same 35 | Tags as those of the EC2 Instance its attached to. This document uses the below APIs: 36 | 37 | - [DescribeVolumes](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumes.html) 38 | - [DescribeTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTags.html) 39 | - [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) 40 | -------------------------------------------------------------------------------- /python-rdklib/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH/config_rule/config-version/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH", 5 | "Description": "EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH", 6 | "SourceRuntime": "python3.6-lib", 7 | "CodeKey": "EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH.zip", 8 | "InputParameters": "{\"ExecutionRoleName\": \"YOUR_ROLE_NAME\"}", 9 | "OptionalParameters": "{}", 10 | "SourceEvents": "AWS::EC2::Volume,AWS::EC2::Instance" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python-rdklib/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH/config_rule/ec2_version/EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH", 5 | "Description": "EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH", 6 | "SourceRuntime": "python3.6-lib", 7 | "CodeKey": "EC2_INSTANCE_EBS_VOLUME_TAGS_MATCH.zip", 8 | "InputParameters": "{\"ExecutionRoleName\": \"YOUR_ROLE_NAME\"}", 9 | "OptionalParameters": "{}", 10 | "SourceEvents": "AWS::EC2::Volume,AWS::EC2::Instance" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python-rdklib/README.md: -------------------------------------------------------------------------------- 1 | # RDKlib samples 2 | 3 | This repository includes samples of AWS Config Rules built with RDKlib. 4 | 5 | Learn about RDKlib: https://github.com/awslabs/aws-config-rdklib -------------------------------------------------------------------------------- /python-rdklib/SECURITYHUB_ENABLED/SECURITYHUB_ENABLED.py: -------------------------------------------------------------------------------- 1 | """ 2 | ##################################### 3 | ## Gherkin ## 4 | ##################################### 5 | 6 | Rule Name: 7 | SECURITYHUB_ENABLED 8 | 9 | Description: 10 | Checks that AWS Security Hub is enabled for an AWS Account. The rule is NON_COMPLIANT if AWS Security Hub is not enabled. 11 | 12 | Rationale: 13 | AWS Security Hub gives you a comprehensive view of your high-priority security alerts, and compliance status across AWS accounts. 14 | 15 | Indicative Severity: 16 | Medium 17 | 18 | Trigger: 19 | Periodic 20 | 21 | Reports on: 22 | AWS::::Account 23 | 24 | Rule Parameters: 25 | None 26 | 27 | Scenarios: 28 | Scenario: 1 29 | Given: SecurityHub is enabled for an AWS Account. 30 | Then: Return COMPLIANT 31 | 32 | Scenario: 2 33 | Given: SecurityHub is not enabled for an AWS Account. 34 | Then: Return NON_COMPLIANT 35 | 36 | """ 37 | import botocore 38 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 39 | 40 | APPLICABLE_RESOURCES = ['AWS::::Account'] 41 | 42 | class SECURITYHUB_ENABLED(ConfigRule): 43 | 44 | # Set this to false to prevent unnecessary API calls 45 | delete_old_evaluations_on_scheduled_notification = False 46 | 47 | def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 48 | client = client_factory.build_client('securityhub') 49 | evaluations = [] 50 | try: 51 | security_hub_enabled = client.describe_hub() 52 | # Scenario:1 SecurityHub is enabled for an AWS Account. 53 | if security_hub_enabled: 54 | evaluations.append(Evaluation(ComplianceType.COMPLIANT, event['accountId'], APPLICABLE_RESOURCES[0])) 55 | except botocore.exceptions.ClientError as error: 56 | # Scenario:2 SecurityHub is not enabled for an AWS Account. 57 | if error.response['Error']['Code'] == 'InvalidAccessException': 58 | evaluations.append(Evaluation(ComplianceType.NON_COMPLIANT, event['accountId'], APPLICABLE_RESOURCES[0])) 59 | else: 60 | raise error 61 | return evaluations 62 | 63 | def lambda_handler(event, context): 64 | my_rule = SECURITYHUB_ENABLED() 65 | evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES) 66 | return evaluator.handle(event, context) 67 | -------------------------------------------------------------------------------- /python-rdklib/SECURITYHUB_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SECURITYHUB_ENABLED", 5 | "SourceRuntime": "python3.6-lib", 6 | "CodeKey": "SECURITYHUB_ENABLED.zip", 7 | "InputParameters": "{\"ExecutionRoleName\": \"YOUR_ROLE_NAME\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ACM_CERTIFICATE_EXPIRATION_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ACM_CERTIFICATE_EXPIRATION_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ACM_CERTIFICATE_EXPIRATION_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"daysToExpiration\":\"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceEvents": "AWS::ACM::Certificate", 11 | "SourceIdentifier": "ACM_CERTIFICATE_EXPIRATION_CHECK", 12 | "RuleSets": [ 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:4.1", 16 | "acm" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/API_GW_CACHE_ENABLED_AND_ENCRYPTED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/API_GW_CACHE_ENABLED_AND_ENCRYPTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "API_GW_CACHE_ENABLED_AND_ENCRYPTED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ApiGateway::Stage", 10 | "SourceIdentifier": "API_GW_CACHE_ENABLED_AND_ENCRYPTED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/API_GW_ENDPOINT_TYPE_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/API_GW_ENDPOINT_TYPE_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "API_GW_ENDPOINT_TYPE_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{\"endpointConfigurationTypes\": \"\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ApiGateway::RestApi", 10 | "SourceIdentifier": "API_GW_ENDPOINT_TYPE_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUDFRONT_VIEWER_POLICY_HTTPS/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUDFRONT_VIEWER_POLICY_HTTPS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUDFRONT_VIEWER_POLICY_HTTPS", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::CloudFront::Distribution", 10 | "SourceIdentifier": "CLOUDFRONT_VIEWER_POLICY_HTTPS" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUDTRAIL_S3_DATAEVENTS_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUDTRAIL_S3_DATAEVENTS_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"S3BucketNames\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "CLOUDTRAIL_S3_DATAEVENTS_ENABLED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUDWATCH_LOG_GROUP_ENCRYPTED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUDWATCH_LOG_GROUP_ENCRYPTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUDWATCH_LOG_GROUP_ENCRYPTED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"KmsKeyId\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "CLOUDWATCH_LOG_GROUP_ENCRYPTED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUD_TRAIL_ENCRYPTION_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUD_TRAIL_ENCRYPTION_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUD_TRAIL_ENCRYPTION_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "CLOUD_TRAIL_ENCRYPTION_ENABLED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CMK_BACKING_KEY_ROTATION_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/CMK_BACKING_KEY_ROTATION_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CMK_BACKING_KEY_ROTATION_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "SourcePeriodic": "TwentyFour_Hours", 9 | "SourceIdentifier": "CMK_BACKING_KEY_ROTATION_ENABLED", 10 | "RuleSets": [ 11 | "rulecriticity:medium", 12 | "pci", 13 | "pci:3.6", 14 | "kms" 15 | ] 16 | } 17 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/DB_INSTANCE_BACKUP_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/DB_INSTANCE_BACKUP_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "DB_INSTANCE_BACKUP_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"backupRetentionPeriod\": \"\", \"preferredBackupWindow\": \"\", \"checkReadReplicas\": \"\"}", 9 | "SourceEvents": "AWS::RDS::DBInstance", 10 | "SourceIdentifier": "DB_INSTANCE_BACKUP_ENABLED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/DYNAMODB_TABLE_ENCRYPTION_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/DYNAMODB_TABLE_ENCRYPTION_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "DYNAMODB_TABLE_ENCRYPTION_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::DynamoDB::Table", 10 | "SourceIdentifier": "DYNAMODB_TABLE_ENCRYPTION_ENABLED", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:3.4" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_ASSOCIATION_COMPLIANCE_STATUS_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_ASSOCIATION_COMPLIANCE_STATUS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::SSM::AssociationCompliance", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:6.2", 16 | "ssm" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_INSTANCE_MANAGED_BY_SSM/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_INSTANCE_MANAGED_BY_SSM/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_INSTANCE_MANAGED_BY_SSM", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::EC2::Instance,AWS::SSM::ManagedInstanceInventory", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "EC2_INSTANCE_MANAGED_BY_SSM", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:6.2", 16 | "ssm" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_INSTANCE_NO_PUBLIC_IP/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_INSTANCE_NO_PUBLIC_IP/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_INSTANCE_NO_PUBLIC_IP", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::Instance", 10 | "SourceIdentifier": "EC2_INSTANCE_NO_PUBLIC_IP" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_PATCH_COMPLIANCE_STATUS_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_PATCH_COMPLIANCE_STATUS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::SSM::PatchCompliance", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:6.2", 16 | "ssm" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_SECURITY_GROUP_ATTACHED_TO_ENI/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_SECURITY_GROUP_ATTACHED_TO_ENI/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_SECURITY_GROUP_ATTACHED_TO_ENI", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::SecurityGroup", 10 | "SourceIdentifier": "EC2_SECURITY_GROUP_ATTACHED_TO_ENI" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_VOLUME_INUSE_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EC2_VOLUME_INUSE_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_VOLUME_INUSE_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"deleteOnTermination\": \"\"}", 9 | "SourceEvents": "AWS::EC2::Volume", 10 | "SourceIdentifier": "EC2_VOLUME_INUSE_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EFS_ENCRYPTED_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/EFS_ENCRYPTED_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EFS_ENCRYPTED_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"KmsKeyId\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "EFS_ENCRYPTED_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELASTICSEARCH_ENCRYPTED_AT_REST/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELASTICSEARCH_ENCRYPTED_AT_REST/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELASTICSEARCH_ENCRYPTED_AT_REST", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "ELASTICSEARCH_ENCRYPTED_AT_REST" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELASTICSEARCH_IN_VPC_ONLY/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELASTICSEARCH_IN_VPC_ONLY/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELASTICSEARCH_IN_VPC_ONLY", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "ELASTICSEARCH_IN_VPC_ONLY" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_ACM_CERTIFICATE_REQUIRED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_ACM_CERTIFICATE_REQUIRED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELB_ACM_CERTIFICATE_REQUIRED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ElasticLoadBalancing::LoadBalancer", 10 | "SourceIdentifier": "ELB_ACM_CERTIFICATE_REQUIRED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{\"sslProtocolsAndCiphers\": \"\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ElasticLoadBalancing::LoadBalancer", 10 | "SourceIdentifier": "ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_LOGGING_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_LOGGING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELB_LOGGING_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::ElasticLoadBalancingV2::LoadBalancer,AWS::ElasticLoadBalancing::LoadBalancer", 8 | "OptionalParameters": "{\"s3BucketName\":\"\"}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "ELB_LOGGING_ENABLED", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:10.1", 16 | "elb", 17 | "alb" 18 | ] 19 | } 20 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{\"predefinedPolicyName\": \"\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ElasticLoadBalancing::LoadBalancer", 10 | "SourceIdentifier": "ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/GUARDDUTY_ENABLED_CENTRALIZED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/GUARDDUTY_ENABLED_CENTRALIZED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "GUARDDUTY_ENABLED_CENTRALIZED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"CentralMonitoringAccount\":\"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "GUARDDUTY_ENABLED_CENTRALIZED", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:10.6", 16 | "guardduty" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/IAM_PASSWORD_POLICY/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/IAM_PASSWORD_POLICY/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_PASSWORD_POLICY", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"8\",\"PasswordReusePrevention\":\"6\",\"MaxPasswordAge\":\"60\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "IAM_PASSWORD_POLICY", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:8.1", 16 | "iam" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/IAM_USER_MFA_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/IAM_USER_MFA_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_USER_MFA_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "IAM_USER_MFA_ENABLED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/IAM_USER_UNUSED_CREDENTIALS_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/IAM_USER_UNUSED_CREDENTIALS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_USER_UNUSED_CREDENTIALS_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{\"maxCredentialUsageAge\": \"90\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "IAM_USER_UNUSED_CREDENTIALS_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::Lambda::Function", 10 | "SourceIdentifier": "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/MULTI_REGION_CLOUD_TRAIL_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/MULTI_REGION_CLOUD_TRAIL_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "MULTI_REGION_CLOUD_TRAIL_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"s3BucketName\": \"\", \"snsTopicArn\": \"\", \"cloudWatchLogsLogGroupArn\": \"\", \"includeManagementEvents\": \"\", \"readWriteType\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "MULTI_REGION_CLOUD_TRAIL_ENABLED" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_INSTANCE_PUBLIC_ACCESS_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_INSTANCE_PUBLIC_ACCESS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "RDS_INSTANCE_PUBLIC_ACCESS_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "SourceEvents": "AWS::RDS::DBInstance", 9 | "SourceIdentifier": "RDS_INSTANCE_PUBLIC_ACCESS_CHECK", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:critical", 13 | "pci", 14 | "pci:1.2", 15 | "rds" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_MULTI_AZ_SUPPORT/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_MULTI_AZ_SUPPORT/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "RDS_MULTI_AZ_SUPPORT", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::RDS::DBInstance", 10 | "SourceIdentifier": "RDS_MULTI_AZ_SUPPORT" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_SNAPSHOTS_PUBLIC_PROHIBITED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_SNAPSHOTS_PUBLIC_PROHIBITED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "RDS_SNAPSHOTS_PUBLIC_PROHIBITED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "SourceEvents": "AWS::RDS::DBInstance", 9 | "SourceIdentifier": "RDS_SNAPSHOTS_PUBLIC_PROHIBITED", 10 | "RuleSets": [ 11 | "rulecriticity:critical", 12 | "pci", 13 | "pci:1.2", 14 | "rds" 15 | ] 16 | } 17 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_STORAGE_ENCRYPTED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/RDS_STORAGE_ENCRYPTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "RDS_STORAGE_ENCRYPTED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "SourceEvents": "AWS::RDS::DBInstance", 9 | "SourceIdentifier": "RDS_STORAGE_ENCRYPTED", 10 | "RuleSets": [ 11 | "rulecriticity:high", 12 | "pci", 13 | "pci:3.4", 14 | "rds" 15 | ] 16 | } 17 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/REDSHIFT_CLUSTER_CONFIGURATION_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/REDSHIFT_CLUSTER_CONFIGURATION_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": " REDSHIFT_CLUSTER_CONFIGURATION_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{\"clusterDbEncrypted\":\"true\",\"loggingEnabled\":\"true\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::Redshift::Cluster", 10 | "SourceIdentifier": " REDSHIFT_CLUSTER_CONFIGURATION_CHECK", 11 | "RuleSets": [ 12 | "rulecriticity:high", 13 | "pci", 14 | "pci:3.4", 15 | "pci:10.1", 16 | "redshift" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::Redshift::Cluster", 10 | "SourceIdentifier": "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ROOT_ACCOUNT_MFA_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/ROOT_ACCOUNT_MFA_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ROOT_ACCOUNT_MFA_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "ROOT_ACCOUNT_MFA_ENABLED", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:critical", 14 | "pci", 15 | "pci:8.3", 16 | "root" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_LOGGING_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_LOGGING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_BUCKET_LOGGING_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::S3::Bucket", 8 | "OptionalParameters": "{\"targetBucket\":\"\",\"targetPrefix\":\"\"}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "S3_BUCKET_LOGGING_ENABLED", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:10.1", 16 | "s3" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_PUBLIC_READ_PROHIBITED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_PUBLIC_READ_PROHIBITED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_BUCKET_PUBLIC_READ_PROHIBITED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::S3::Bucket", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:critical", 14 | "pci", 15 | "pci:7.1", 16 | "s3" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_PUBLIC_WRITE_PROHIBITED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_PUBLIC_WRITE_PROHIBITED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::S3::Bucket", 10 | "SourcePeriodic": "TwentyFour_Hours", 11 | "SourceIdentifier": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" 12 | }, 13 | "Tags": "[]" 14 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_SSL_REQUESTS_ONLY/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_SSL_REQUESTS_ONLY/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_BUCKET_SSL_REQUESTS_ONLY", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "SourceEvents": "AWS::S3::Bucket", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}", 10 | "SourceIdentifier": "S3_BUCKET_SSL_REQUESTS_ONLY", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:4.1", 16 | "s3" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_VERSIONING_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/S3_BUCKET_VERSIONING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_BUCKET_VERSIONING_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"isMfaDeleteEnabled\":\"\"}", 9 | "SourceEvents": "AWS::S3::Bucket", 10 | "SourceIdentifier": "S3_BUCKET_VERSIONING_ENABLED", 11 | "RuleSets": [ 12 | "rulecriticity:high", 13 | "pci", 14 | "pci:12.10", 15 | "s3" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_DEFAULT_SECURITY_GROUP_CLOSED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_DEFAULT_SECURITY_GROUP_CLOSED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_DEFAULT_SECURITY_GROUP_CLOSED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "SourceEvents": "AWS::EC2::SecurityGroup", 9 | "SourceIdentifier": "VPC_DEFAULT_SECURITY_GROUP_CLOSED", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:medium", 13 | "pci", 14 | "pci:1.2", 15 | "vpc" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_FLOW_LOGS_ENABLED/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder assists you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_FLOW_LOGS_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_FLOW_LOGS_ENABLED", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"trafficType\":\"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "VPC_FLOW_LOGS_ENABLED", 11 | "RuleSets": [ 12 | "rulecriticity:medium", 13 | "pci", 14 | "pci:10.1", 15 | "vpc" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"authorizedTcpPorts\": \"\", \"authorizedUdpPorts\": \"\"}", 9 | "SourceEvents": "AWS::EC2::SecurityGroup", 10 | "SourceIdentifier": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_VPN_2_TUNNELS_UP/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/' RDK parameters.json for AWS Managed Config Rules/VPC_VPN_2_TUNNELS_UP/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_VPN_2_TUNNELS_UP", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::VPNConnection", 10 | "SourceIdentifier": "VPC_VPN_2_TUNNELS_UP" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/AMI_NOT_PUBLIC_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "AMI_NOT_PUBLIC_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "AMI_NOT_PUBLIC_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Six_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/AMI_OUTDATED_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "AMI_OUTDATED_CHECK.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "AMI_OUTDATED_CHECK", 7 | "SourcePeriodic": "TwentyFour_Hours", 8 | "OptionalParameters": "{\"WhitelistedAmis\": \" \", \"WhitelistedInstances\": \" \", \"NumberOfDays\": \"60\"}", 9 | "InputParameters": "{}" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /python/AMI_OWNERID_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "AMI_OWNERID_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "AMI_OWNERID_CHECK.zip", 7 | "InputParameters": "{\"VpcId\": \"vpc-06ad19353fa90a742, vpc-06ad19353fb81a231\",\"OwnerId\": \"845575274112\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/API_GW_AUTHORIZER_IN_PLACE/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "API_GW_AUTHORIZER_IN_PLACE.zip", 5 | "SourceRuntime": "python3.7", 6 | "RuleName": "API_GW_AUTHORIZER_IN_PLACE", 7 | "SourceEvents": "AWS::ApiGateway::RestApi", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/API_GW_CACHE_ENABLED_AND_ENCRYPTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "API_GW_CACHE_ENABLED_AND_ENCRYPTED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "API_GW_CACHE_ENABLED_AND_ENCRYPTED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ApiGateway::Stage" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/API_GW_ENDPOINT_TYPE_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "API_GW_ENDPOINT_TYPE_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "API_GW_ENDPOINT_TYPE_CHECK.zip", 7 | "InputParameters": "{\"endpointConfigurationType\": \"\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ApiGateway::RestApi" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/API_GW_EXECUTION_LOGGING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "API_GW_EXECUTION_LOGGING_ENABLED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "API_GW_EXECUTION_LOGGING_ENABLED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"loggingLevel\": \"\"}", 9 | "SourceEvents": "AWS::ApiGateway::Stage,AWS::ApiGatewayV2::Stage" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/API_GW_NOT_EDGE_OPTIMISED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "API_GW_NOT_EDGE_OPTIMISED", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "API_GW_NOT_EDGE_OPTIMISED.zip", 6 | "InputParameters": "{\"ExceptionList\":\"somegatewayid\"}", 7 | "SourcePeriodic": "TwentyFour_Hours" 8 | } 9 | } -------------------------------------------------------------------------------- /python/API_GW_PRIVATE_RESTRICTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "InputParameters": "{}", 4 | "CodeKey": "final-code.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "RuleName": "API_GW_PRIVATE_RESTRICTED" 8 | } 9 | } -------------------------------------------------------------------------------- /python/API_GW_RESTRICTED_IP/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "API_GW_RESTRICTED_IP", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "API_GW_RESTRICTED_IP.zip", 6 | "InputParameters": "{\"WhitelistedIPs\":\"10.0.0.0/24\"}", 7 | "SourcePeriodic": "TwentyFour_Hours" 8 | } 9 | } -------------------------------------------------------------------------------- /python/BUSINESS_SUPPORT_OR_ABOVE_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "BUSINESS_SUPPORT_OR_ABOVE_ENABLED.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "TwentyFour_Hours", 7 | "RuleName": "BUSINESS_SUPPORT_OR_ABOVE_ENABLED", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/CLOUDFRONT_LOGGING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUDFRONT_LOGGING_ENABLED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "CLOUDFRONT_LOGGING_ENABLED.zip", 7 | "InputParameters": "{\"CentralLoggingBucket\": \"cloudfront-logs-bucket-here\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::CloudFront::Distribution" 10 | } 11 | } -------------------------------------------------------------------------------- /python/CLOUDFRONT_VIEWER_POLICY_HTTPS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "CLOUDFRONT_VIEWER_POLICY_HTTPS.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "CLOUDFRONT_VIEWER_POLICY_HTTPS", 7 | "SourceEvents": "AWS::CloudFront::Distribution", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/CLOUDFRONT_WEBACL_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUDFRONT_WEBACL_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "CLOUDFRONT_WEBACL_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::CloudFront::Distribution" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/CLOUDTRAIL_ENABLED_V2/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "CLOUDTRAIL_ENABLED_V2", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "CLOUDTRAIL_ENABLED_V2.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"S3BucketName\":\"\",\"EncryptedBoolean\":\"True\",\"KMSKeyArn\":\"\",\"GlobalResourcesBoolean\":\"True\",\"MultiRegionBoolean\":\"True\",\"ManagementEventBoolean\":\"True\",\"S3DataEventBoolean\":\"True\",\"LambdaEventBoolean\":\"True\",\"LFIBoolean\":\"True\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:critical", 13 | "pci", 14 | "pci:10.1", 15 | "pci:10.2", 16 | "pci:10.5", 17 | "cloudtrail" 18 | ] 19 | } 20 | } 21 | 22 | -------------------------------------------------------------------------------- /python/CLOUDTRAIL_S3_DATAEVENTS_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "CLOUDTRAIL_S3_DATAEVENTS_ENABLED.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "TwentyFour_Hours", 7 | "RuleName": "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", 8 | "OptionalParameters": "{\"S3BucketName\": \"\"}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/CLOUDWATCH_LOG_GROUP_ENCRYPTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "CLOUDWATCH_LOG_GROUP_ENCRYPTED.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "RuleName": "CLOUDWATCH_LOG_GROUP_ENCRYPTED", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{\"KmsKeyId\": \"\"}" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/DMS_REPLICATION_NOT_PUBLIC/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "DMS_REPLICATION_NOT_PUBLIC.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "RuleName": "DMS_REPLICATION_NOT_PUBLIC", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/DYNAMODB_ENCRYPTED_CUSTOM/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "DYNAMODB_ENCRYPTED", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "DYNAMODB_ENCRYPTED.zip", 6 | "InputParameters": "{}", 7 | "SourceEvents": "AWS::DynamoDB::Table" 8 | } 9 | } -------------------------------------------------------------------------------- /python/EBS_ENCRYPTED_VOLUMES_V2/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "EBS_ENCRYPTED_VOLUMES_V2", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "EBS_ENCRYPTED_VOLUMES_V2.zip", 6 | "InputParameters": "{}", 7 | "OptionalParameters": "{\"VolumeExceptionList\": \"\", \"SubnetExceptionList\": \"\"}", 8 | "SourceEvents": "AWS::EC2::Volume", 9 | "RuleSets": [ 10 | "rulecriticity:high", 11 | "pci", 12 | "pci:3.4" 13 | ] 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /python/EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EC2_INSTANCE_LICENSE_INCLUDED_DEDICATED_HOST/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_INSTANCE_LICENSE_INCLUDED_DEDICATED_HOST", 5 | "Description": "EC2_INSTANCE_LICENSE_INCLUDED_DEDICATED_HOST", 6 | "SourceRuntime": "python3.9", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::Instance" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EC2_INSTANCE_NO_PUBLIC_IP/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_INSTANCE_NO_PUBLIC_IP", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "EC2_INSTANCE_NO_PUBLIC_IP.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::Instance" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EC2_SECURITY_GROUP_BADINGRESS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EC2_SECURITY_GROUP_BADINGRESS", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "EC2_SECURITY_GROUP_BADINGRESS.zip", 7 | "InputParameters": "{\"BlacklistedPorts\":\"443, 53, 21, 20, 4333, 3306, 137, 138, 5432, 3389, 25, 1433, 1434, 23,5500, 5900, 135, 22\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::SecurityGroup" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/EC2_SECURITY_GROUP_NOT_USED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "EC2_SECURITY_GROUP_NOT_USED.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "EC2_SECURITY_GROUP_NOT_USED", 7 | "SourceEvents": "AWS::EC2::SecurityGroup", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME.zip", 6 | "InputParameters": "{}", 7 | "SourceEvents": "AWS::EC2::Instance" 8 | } 9 | } -------------------------------------------------------------------------------- /python/ECR_REPOSITORY_SCAN_ON_PUSH_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ECR_REPOSITORY_SCAN_ON_PUSH_CHECK", 5 | "Description": "ECR_REPOSITORY_SCAN_ON_PUSH_CHECK", 6 | "SourceRuntime": "python3.7", 7 | "CodeKey": "ECR_REPOSITORY_SCAN_ON_PUSH_CHECK.zip", 8 | "InputParameters": "{}", 9 | "OptionalParameters": "{}", 10 | "SourcePeriodic": "One_Hour" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/ECS_AWSLOGS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ECS_AWSLOGS_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "ECS_AWSLOGS_CHECK.zip", 7 | "InputParameters": "{\"TaskDefinition\": \"MyServiceTaskDefinition, MyServiceTwoTaskDefinition\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Three_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/ECS_ECRIMAGE_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ECS_ECRIMAGE_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "ECS_ECRIMAGE_CHECK.zip", 7 | "InputParameters": "{\"TaskDefinition\": \"MyServiceTaskDefinition, MyServiceTwoTaskDefinition\",\"RegionName\": \"us-west-2\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Three_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/EFS_ENCRYPTED_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "EFS_ENCRYPTED_CHECK.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "RuleName": "EFS_ENCRYPTED_CHECK", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{\"KmsKeyId\": \"arn:aws:kms:us-west-2:123456789012:key/fdbe4169-8c1c-49c9-a181-a3d53e8c8d1f\"}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EKS_LOGGING_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EKS_LOGGING_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "EKS_LOGGING_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EKS_PUBLIC_ACCESS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EKS_PUBLIC_ACCESS", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "EKS_PUBLIC_ACCESS.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"snapshotRetentionPeriod\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/ELASTICSEARCH_ENCRYPTED_AT_REST/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELASTICSEARCH_ENCRYPTED_AT_REST", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ELASTICSEARCH_ENCRYPTED_AT_REST.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/ELASTICSEARCH_IN_VPC_ONLY/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELASTICSEARCH_IN_VPC_ONLY", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ELASTICSEARCH_IN_VPC_ONLY.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/ELB_ALB_PREDEFINED_SSL_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELB_ALB_PREDEFINED_SSL_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ELB_ALB_PREDEFINED_SSL_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ElasticLoadBalancingV2::LoadBalancer", 10 | "RuleSets": [ 11 | "rulecriticity:high", 12 | "pci", 13 | "pci:4.1", 14 | "elb", 15 | "alb" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/ELB_DELETION_PROTECTION_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ELB_DELETION_PROTECTION_ENABLED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ELB_DELETION_PROTECTION_ENABLED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::ElasticLoadBalancingV2::LoadBalancer" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/EMR_KERBEROS_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "EMR_KERBEROS_ENABLED", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "EMR_KERBEROS_ENABLED.zip", 6 | "InputParameters": "{}", 7 | "OptionalParameters": "{\"TicketLifetimeInHours\":\"\",\"Realm\":\"\",\"Domain\":\"\",\"AdminServer\":\"\",\"KdcServer\":\"\"}", 8 | "SourcePeriodic": "TwentyFour_Hours", 9 | "RuleSets": [ 10 | "rulecriticity:high", 11 | "pci", 12 | "pci:7.1", 13 | "emr" 14 | ] 15 | } 16 | } -------------------------------------------------------------------------------- /python/EMR_MASTER_NO_PUBLIC_IP/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EMR_MASTER_NO_PUBLIC_IP", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "EMR_MASTER_NO_PUBLIC_IP.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/EMR_SECURITY_GROUPS_RESTRICTED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "EMR_SECURITY_GROUPS_RESTRICTED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "EMR_SECURITY_GROUPS_RESTRICTED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/ENTERPRISE_SUPPORT_PLAN_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ENTERPRISE_SUPPORT_PLAN_ENABLED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ENTERPRISE_SUPPORT_PLAN_ENABLED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/GUARDDUTY_UNTREATED_FINDINGS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "GUARDDUTY_UNTREATED_FINDINGS", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "GUARDDUTY_UNTREATED_FINDINGS.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"daysLowSev\": \"30\", \"daysMediumSev\": \"7\", \"daysHighSev\": \"1\"}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/IAM_ACCESS_KEY_ROTATED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_ACCESS_KEY_ROTATED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_ACCESS_KEY_ROTATED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"WhitelistedUserList\":\"\",\"KeyActiveTimeOutInDays\":\"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:high", 13 | "pci", 14 | "pci:8.1", 15 | "iam" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/IAM_GROUP_NO_POLICY_FULL_STAR/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_GROUP_NO_POLICY_FULL_STAR", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_GROUP_NO_POLICY_FULL_STAR.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::IAM::Group" 10 | } 11 | } -------------------------------------------------------------------------------- /python/IAM_IP_RESTRICTION/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_IP_RESTRICTION", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "IAM_IP_RESTRICTION.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"WhitelistedUserNames\": \"\", \"maxIpNums\": \"\"}", 9 | "SourceEvents": "AWS::IAM::User" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/IAM_NO_USER/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_NO_USER", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_NO_USER.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"WhitelistedUserList\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | } 11 | } -------------------------------------------------------------------------------- /python/IAM_POLICY_REQUIRED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "IAM_POLICY_REQUIRED.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "IAM_POLICY_REQUIRED", 7 | "SourceEvents": "AWS::IAM::Role,AWS::IAM::User", 8 | "OptionalParameters": "{\"exceptionList\": \"\"}", 9 | "InputParameters": "{\"policyArns\": \"\"}" 10 | } 11 | } -------------------------------------------------------------------------------- /python/IAM_ROLE_NO_POLICY_FULL_STAR/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_ROLE_NO_POLICY_FULL_STAR", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_ROLE_NO_POLICY_FULL_STAR.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::IAM::Role", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:high", 13 | "pci", 14 | "pci:7.1", 15 | "iam" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/IAM_USER_MATCHES_REGEX_PATTERN/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_USER_MATCHES_REGEX_PATTERN", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_USER_MATCHES_REGEX_PATTERN.zip", 7 | "InputParameters": "{\"regexPattern\":\".*admin.*\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::IAM::User" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/IAM_USER_MFA_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "IAM_USER_MFA_ENABLED", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "IAM_USER_MFA_ENABLED.zip", 6 | "InputParameters": "{}", 7 | "SourcePeriodic": "TwentyFour_Hours", 8 | "RuleSets": [ 9 | "baseline", 10 | "rulecriticity:high", 11 | "pci", 12 | "pci:8.1", 13 | "iam" 14 | ] 15 | } 16 | } -------------------------------------------------------------------------------- /python/IAM_USER_NO_POLICY_FULL_STAR/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_USER_NO_POLICY_FULL_STAR", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_USER_NO_POLICY_FULL_STAR.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::IAM::User", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:high", 13 | "pci", 14 | "pci:7.1", 15 | "iam" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/IAM_USER_PERMISSION_BOUNDARY_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "IAM_USER_PERMISSION_BOUNDARY_CHECK.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "TwentyFour_Hours", 7 | "RuleName": "IAM_USER_PERMISSION_BOUNDARY_CHECK", 8 | "OptionalParameters": "{\"policyArns\":\"arn:aws:iam::aws:policy/AdministratorAccess\"}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/IAM_USER_USED_LAST_90_DAYS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "IAM_USER_USED_LAST_90_DAYS", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "IAM_USER_USED_LAST_90_DAYS.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"WhitelistedUserList\": \"\", \"NotUsedTimeOutInDays\": \"\", \"NewUserCooldownInDays\": \"\"}", 9 | "SourceEvents": "AWS::IAM::User", 10 | "SourcePeriodic": "TwentyFour_Hours", 11 | "RuleSets": [ 12 | "baseline", 13 | "rulecriticity:high", 14 | "pci", 15 | "pci:8.1", 16 | "iam" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /python/INSTANCE_PROFILE_HAVE_DEFINED_POLICIES/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "INSTANCE_PROFILE_HAVE_DEFINED_POLICIES", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "INSTANCE_PROFILE_HAVE_DEFINED_POLICIES.zip", 6 | "InputParameters": "{}", 7 | "SourceEvents": "AWS::IAM::Role" 8 | } 9 | } -------------------------------------------------------------------------------- /python/INTERNET_GATEWAY_AUTHORIZED_ONLY/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "INTERNET_GATEWAY_AUTHORIZED_ONLY", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "INTERNET_GATEWAY_AUTHORIZED_ONLY.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"AuthorizedVpcIds\":\"\"}", 9 | "SourceEvents": "AWS::EC2::InternetGateway", 10 | "RuleSets": [ 11 | "accountclassification:secret", 12 | "accountclassification:confidential", 13 | "rulecriticity:high", 14 | "pci" 15 | ] 16 | } 17 | } 18 | 19 | -------------------------------------------------------------------------------- /python/KMS_KEYS_TO_NOT_DELETE/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "KMS_KEYS_TO_NOT_DELETE", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "CodeKey": "KMS_KEYS_TO_NOT_DELETE.zip", 8 | "InputParameters": "{}", 9 | "OptionalParameters": "{\"kmsKeyIds\":\"\"}" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/LAMBDA_CODE_IS_VERSIONED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "LAMBDA_CODE_IS_VERSIONED", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "LAMBDA_CODE_IS_VERSIONED.zip", 6 | "InputParameters": "{}", 7 | "SourceEvents": "AWS::Lambda::Function" 8 | } 9 | } -------------------------------------------------------------------------------- /python/LAMBDA_CONCURRENCY_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "LAMBDA_CONCURRENCY_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "LAMBDA_CONCURRENCY_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"ConcurrencyLimitLow\":\"\", \"ConcurrencyLimitHigh\":\"\"}", 9 | "SourceEvents": "AWS::Lambda::Function" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/LAMBDA_DLQ_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "LAMBDA_DLQ_CHECK.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "LAMBDA_DLQ_CHECK", 7 | "SourceEvents": "AWS::Lambda::Function", 8 | "OptionalParameters": "{\"dlqArn\":\"\"}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/LAMBDA_INSIDE_VPC/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "LAMBDA_INSIDE_VPC.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "LAMBDA_INSIDE_VPC", 7 | "SourceEvents": "AWS::Lambda::Function", 8 | "OptionalParameters": "{\"subnetId\": \"\"}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/LAMBDA_ROLE_ALLOWED_ON_LOGGING/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "LAMBDA_ROLE_ALLOWED_ON_LOGGING", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "LAMBDA_ROLE_ALLOWED_ON_LOGGING.zip", 6 | "InputParameters": "{}", 7 | "SourceEvents": "AWS::Lambda::Function" 8 | } 9 | } -------------------------------------------------------------------------------- /python/RDS_ENHANCED_MONITORING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "RDS_ENHANCED_MONITORING_ENABLED.zip", 5 | "SourceRuntime": "python3.6", 6 | "RuleName": "RDS_ENHANCED_MONITORING_ENABLED", 7 | "SourceEvents": "AWS::RDS::DBInstance", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/REDSHIFT_AUDIT_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "Version": "1.0", 4 | "Parameters": { 5 | "RuleName": "REDSHIFT_AUDIT_ENABLED", 6 | "Description": "REDSHIFT_AUDIT_ENABLED", 7 | "SourceRuntime": "python3.8", 8 | "CodeKey": "REDSHIFT_AUDIT_ENABLED.zip", 9 | "InputParameters": "{}", 10 | "OptionalParameters": "{}", 11 | "SourcePeriodic": "One_Hour" 12 | }, 13 | "Tags": "[]" 14 | } -------------------------------------------------------------------------------- /python/REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::Redshift::Cluster" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/REDSHIFT_DB_ENCRYPTED/parameters.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "Version": "1.0", 4 | "Parameters": { 5 | "RuleName": "REDSHIFT_DB_ENCRYPTED", 6 | "Description": "REDSHIFT_DB_ENCRYPTED", 7 | "SourceRuntime": "python3.8", 8 | "CodeKey": "REDSHIFT_DB_ENCRYPTED.zip", 9 | "InputParameters": "{}", 10 | "OptionalParameters": "{}", 11 | "SourcePeriodic": "One_Hour" 12 | }, 13 | "Tags": "[]" 14 | } -------------------------------------------------------------------------------- /python/REDSHIFT_FIPS_REQUIRED/parameters.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "Version": "1.0", 4 | "Parameters": { 5 | "RuleName": "REDSHIFT_FIPS_REQUIRED", 6 | "Description": "REDSHIFT_FIPS_REQUIRED", 7 | "SourceRuntime": "python3.8", 8 | "CodeKey": "REDSHIFT_FIPS_REQUIRED.zip", 9 | "InputParameters": "{}", 10 | "OptionalParameters": "{}", 11 | "SourcePeriodic": "One_Hour" 12 | }, 13 | "Tags": "[]" 14 | } -------------------------------------------------------------------------------- /python/REDSHIFT_SSL_REQUIRED/parameters.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "Version": "1.0", 4 | "Parameters": { 5 | "RuleName": "REDSHIFT_SSL_REQUIRED", 6 | "Description": "REDSHIFT_SSL_REQUIRED", 7 | "SourceRuntime": "python3.8", 8 | "CodeKey": "REDSHIFT_SSL_REQUIRED.zip", 9 | "InputParameters": "{}", 10 | "OptionalParameters": "{}", 11 | "SourcePeriodic": "One_Hour" 12 | }, 13 | "Tags": "[]" 14 | } -------------------------------------------------------------------------------- /python/REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "Version": "1.0", 4 | "Parameters": { 5 | "RuleName": "REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED", 6 | "Description": "REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED", 7 | "SourceRuntime": "python3.8", 8 | "CodeKey": "REDSHIFT_USER_ACTIVITY_MONITORING_ENABLED.zip", 9 | "InputParameters": "{}", 10 | "OptionalParameters": "{}", 11 | "SourcePeriodic": "One_Hour" 12 | }, 13 | "Tags": "[]" 14 | } -------------------------------------------------------------------------------- /python/REST_API_GW_CUSTOMDOMAIN_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "REST_API_GW_CUSTOMDOMAIN_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "REST_API_GW_CUSTOMDOMAIN_CHECK.zip", 7 | "InputParameters": "{\"CustomDomainName\":\"myowndomain.com\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/ROOT_NO_ACCESS_KEY/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "ROOT_NO_ACCESS_KEY", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "ROOT_NO_ACCESS_KEY.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:critical", 13 | "pci", 14 | "pci:7.1", 15 | "root" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/S3_BUCKET_NAMING_CONVENTION/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_BUCKET_NAMING_CONVENTION", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "S3_BUCKET_NAMING_CONVENTION.zip", 7 | "InputParameters": "{\"regexPattern\":\".*test.*\"}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::S3::Bucket" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT/README.md: -------------------------------------------------------------------------------- 1 | # Warning!!! This rule requires an additional step to use. 2 | Prior to rule deployment additional libraries must be added to make this rule function as it requires versions of BOTO3 and BOTOCORE greater than what can be currently supported by AWS lambda. 3 | 4 | 1. Change directory to the parent folder of S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT 5 | 2. Create newboto directory 6 | 7 | ``` mkdir S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT/newboto ``` 8 | 3. Add current libraries to S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT/newboto folder 9 | 10 | ```pip3 install boto3 botocore urllib3 --system --no-deps --target='S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT/newboto/'``` 11 | 12 | 4. Deploy as normal 13 | 14 | ``` rdk deploy S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT ``` 15 | -------------------------------------------------------------------------------- /python/S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"BlockPublicAcls\": \"\", \"IgnorePublicAcls\": \"\", \"BlockPublicPolicy\": \"\", \"RestrictPublicBuckets\": \"\"}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/S3_VPC_ENDPOINT_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "S3_VPC_ENDPOINT_ENABLED.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "TwentyFour_Hours", 7 | "RuleName": "S3_VPC_ENDPOINT_ENABLED", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"keyArns\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/SAGEMAKER_NOTEBOOK_KMS_CONFIGURED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SAGEMAKER_NOTEBOOK_KMS_CONFIGURED", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "SAGEMAKER_NOTEBOOK_KMS_CONFIGURED.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"keyArns\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/SECRETSMANAGER_MAX_SECRET_AGE/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SECRETSMANAGER_MAX_SECRET_AGE", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "SECRETSMANAGER_MAX_SECRET_AGE.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"max_secret_age_days\": \"30\"}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/SHIELD_ADVANCED_ENABLED_AUTORENEW/Readme.md: -------------------------------------------------------------------------------- 1 | This rule is a managed Rule. This folder will assist you on deploying the rule using the Rule Development Kit (RDK). 2 | 3 | Managed Rules - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html 4 | 5 | Rule Development Kit (RDK) - https://github.com/awslabs/aws-config-rdk -------------------------------------------------------------------------------- /python/SHIELD_ADVANCED_ENABLED_AUTORENEW/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SHIELD_ADVANCED_ENABLED_AUTORENEW", 5 | "SourceRuntime": null, 6 | "CodeKey": null, 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "TwentyFour_Hours", 10 | "SourceIdentifier": "SHIELD_ADVANCED_ENABLED_AUTORENEW" 11 | }, 12 | "Tags": "[]" 13 | } -------------------------------------------------------------------------------- /python/SHIELD_DRT_ACCESS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "SHIELD_DRT_ACCESS.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "RuleName": "SHIELD_DRT_ACCESS", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/SNS_ENCRYPTED_TOPIC_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SNS_ENCRYPTED_TOPIC_CHECK", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "SNS_ENCRYPTED_TOPIC_CHECK.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"KmsKeyId\": \"\"}", 9 | "SourcePeriodic": "TwentyFour_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/SNS_TOPIC_EMAIL_SUB_IN_DOMAINS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "SNS_TOPIC_EMAIL_SUB_IN_DOMAINS.zip", 5 | "SourceRuntime": "python3.6", 6 | "SourcePeriodic": "One_Hour", 7 | "RuleName": "SNS_TOPIC_EMAIL_SUB_IN_DOMAINS", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{\"domainNames\":\"gmail.com,notyourwish.net,merachelega.org\"}" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/SQS_ENCRYPTION_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SQS_ENCRYPTION_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "SQS_ENCRYPTION_CHECK.zip", 7 | "InputParameters": "{\"QueueNameStartsWith\":\"cookin, servefo\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Three_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/SQS_PUBLIC_ACCESS_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SQS_PUBLIC_ACCESS_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "SQS_PUBLIC_ACCESS_CHECK.zip", 7 | "InputParameters": "{\"QueueNameStartsWith\":\"cookin, servefo\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Three_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/SQS_TRANSIT_ENCRYPTION_CHECK/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "SQS_TRANSIT_ENCRYPTION_CHECK", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "SQS_TRANSIT_ENCRYPTION_CHECK.zip", 7 | "InputParameters": "{\"QueueNameStartsWith\":\"cookin, servefo\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Three_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/VPC_ENDPOINT_DEFAULT_POLICY/parameter.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "CodeKey": "VPC_ENDPOINT_DEFAULT_POLICY.zip", 5 | "SourceRuntime": "python3.7", 6 | "SourcePeriodic": "TwentyFour_Hours", 7 | "RuleName": "VPC_ENDPOINT_DEFAULT_POLICY", 8 | "OptionalParameters": "{}", 9 | "InputParameters": "{}" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/VPC_ENDPOINT_MANUAL_ACCEPTANCE/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_ENDPOINT_MANUAL_ACCEPTANCE", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "VPC_ENDPOINT_MANUAL_ACCEPTANCE.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "One_Hour" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/VPC_FLOW_LOGS_ENABLED_CUSTOM/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Parameters": { 3 | "RuleName": "VPC_FLOW_LOGS_ENABLED_CUSTOM", 4 | "SourceRuntime": "python3.6", 5 | "CodeKey": "VPC_FLOW_LOGS_ENABLED_CUSTOM.zip", 6 | "InputParameters": "{\"trafficType\":\"\",\"LogGroupName\":\"\",\"WhiteListedVPC\":\"\"}", 7 | "SourcePeriodic": "TwentyFour_Hours", 8 | "RuleSets": [] 9 | } 10 | } -------------------------------------------------------------------------------- /python/VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{\"authorizedUDPPorts\": \"\", \"authorizedTCPPorts\": \"\"}", 9 | "SourceEvents": "AWS::EC2::SecurityGroup", 10 | "RuleSets": [ 11 | "baseline", 12 | "rulecriticity:high", 13 | "pci", 14 | "pci:1.2", 15 | "vpc" 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /python/VPC_VPN_2_TUNNELS_UP/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "VPC_VPN_2_TUNNELS_UP", 5 | "SourceRuntime": "python3.6", 6 | "CodeKey": "VPC_VPN_2_TUNNELS_UP.zip", 7 | "InputParameters": "{}", 8 | "OptionalParameters": "{}", 9 | "SourceEvents": "AWS::EC2::VPNConnection" 10 | }, 11 | "Tags": "[]" 12 | } -------------------------------------------------------------------------------- /python/WAFV2_WEBACL_LOGGING_ENABLED/parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "1.0", 3 | "Parameters": { 4 | "RuleName": "WAFV2_WEBACL_LOGGING_ENABLED", 5 | "SourceRuntime": "python3.7", 6 | "CodeKey": "WAFV2_WEBACL_LOGGING_EBALED.zip", 7 | "InputParameters": "{\"Scope\":\"CLOUDFRONT, REGIONAL\"}", 8 | "OptionalParameters": "{}", 9 | "SourcePeriodic": "Three_Hours" 10 | }, 11 | "Tags": "[]" 12 | } 13 | -------------------------------------------------------------------------------- /python/cloudtrail_encrypted.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure CloudTrail is encrypted 5 | # Description: Checks that tracked trails are encrypted (optionally with a specific KMS Key). 6 | # 7 | # Trigger Type: Change Triggered 8 | # Scope of Changes: AWS::CloudTrail::Trail 9 | # Required Parameters: None 10 | # Optional Parameter: KMSKeyARN 11 | # Optional Parameter value example : arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 12 | 13 | import json 14 | import boto3 15 | 16 | APPLICABLE_RESOURCES = ["AWS::CloudTrail::Trail"] 17 | OPTIONAL_PARAMETER = "KMSKeyARN" 18 | 19 | # Verify the optional parameter, set the parameter to "None" if not existant 20 | def normalize_optional_parameter(rule_parameters,optional_parameter): 21 | if not rule_parameters: 22 | rule_parameters = {optional_parameter: "None"} 23 | print(optional_parameter+ " set to 'None'") 24 | else: 25 | if not optional_parameter in rule_parameters: 26 | rule_parameters = {optional_parameter: "None"} 27 | print(optional_parameter+ " set to 'None'") 28 | else: 29 | print(optional_parameter+ " set to rule parameter value: " + rule_parameters[optional_parameter]) 30 | return rule_parameters 31 | 32 | # Verify compliance 33 | def evaluate_compliance(configuration_item, rule_parameters, optional_parameter): 34 | if (configuration_item["resourceType"] not in APPLICABLE_RESOURCES) or (configuration_item["configurationItemStatus"] == "ResourceDeleted"): 35 | return { 36 | "compliance_type": "NOT_APPLICABLE", 37 | "annotation": "NOT_APPLICABLE" 38 | } 39 | 40 | compliance_status = False 41 | print configuration_item 42 | kms_key_id = configuration_item["configuration"]["kmsKeyId"] 43 | print kms_key_id 44 | if kms_key_id == rule_parameters[optional_parameter] and kms_key_id != "None": 45 | return { 46 | "compliance_type": "COMPLIANT", 47 | "annotation": 'Encryption is enabled with the specified KMS key [' + kms_key_id + '].' 48 | } 49 | elif rule_parameters[optional_parameter] == "None" and kms_key_id != "None": 50 | return { 51 | "compliance_type": "COMPLIANT", 52 | "annotation": 'Encryption is enabled (no key specified in the Rule).' 53 | } 54 | elif kms_key_id != rule_parameters[optional_parameter] and kms_key_id != "None": 55 | return { 56 | "compliance_type": "NON_COMPLIANT", 57 | "annotation": 'Encryption is enabled with [' + kms_key_id + ']. It is not with the specified KMS key in the rule [' + rule_parameters[optional_parameter] + '].' 58 | } 59 | else: 60 | return { 61 | "compliance_type": "NON_COMPLIANT", 62 | "annotation": 'Encryption is disabled.' 63 | } 64 | 65 | # Start of the lambda function 66 | def lambda_handler(event, context): 67 | invoking_event = json.loads(event['invokingEvent']) 68 | configuration_item = invoking_event["configurationItem"] 69 | 70 | rule_parameters = json.loads(event["ruleParameters"]) 71 | print rule_parameters 72 | 73 | rule_parameters = normalize_optional_parameter(rule_parameters,OPTIONAL_PARAMETER) 74 | print rule_parameters 75 | 76 | evaluation = evaluate_compliance(configuration_item, rule_parameters) 77 | config = boto3.client('config') 78 | 79 | result_token = "No token found." 80 | if "resultToken" in event: 81 | result_token = event["resultToken"] 82 | 83 | config.put_evaluations( 84 | Evaluations=[ 85 | { 86 | "ComplianceResourceType": configuration_item["resourceType"], 87 | "ComplianceResourceId": configuration_item["resourceId"], 88 | "ComplianceType": evaluation["compliance_type"], 89 | "Annotation": evaluation["annotation"], 90 | "OrderingTimestamp": configuration_item["configurationItemCaptureTime"] 91 | }, 92 | ], 93 | ResultToken=result_token 94 | ) -------------------------------------------------------------------------------- /python/cloudtrail_lfi_activated.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure CloudTrail log file validation is enabled 5 | # Description: Checks that tracked trails have log file integrity activated. 6 | # 7 | # Trigger Type: Change Triggered 8 | # Scope of Changes: AWS::CloudTrail::Trail 9 | # Required Parameters: None 10 | 11 | import json 12 | import boto3 13 | 14 | APPLICABLE_RESOURCES = ["AWS::CloudTrail::Trail"] 15 | 16 | def evaluate_compliance(configuration_item): 17 | if (configuration_item["resourceType"] not in APPLICABLE_RESOURCES) or (configuration_item["configurationItemStatus"] == "ResourceDeleted"): 18 | return { 19 | "compliance_type": "NOT_APPLICABLE", 20 | "annotation": "NOT_APPLICABLE" 21 | } 22 | 23 | lfi_status = configuration_item["configuration"]["logFileValidationEnabled"] 24 | 25 | if lfi_status: 26 | return { 27 | "compliance_type": "COMPLIANT", 28 | "annotation": 'Log File Validation is enabled.' 29 | } 30 | else: 31 | return { 32 | "compliance_type": "NON_COMPLIANT", 33 | "annotation": 'Log File Validation is disabled.' 34 | } 35 | 36 | def lambda_handler(event, context): 37 | invoking_event = json.loads(event['invokingEvent']) 38 | configuration_item = invoking_event["configurationItem"] 39 | evaluation = evaluate_compliance(configuration_item) 40 | config = boto3.client('config') 41 | 42 | result_token = "No token found." 43 | if "resultToken" in event: 44 | result_token = event["resultToken"] 45 | 46 | config.put_evaluations( 47 | Evaluations=[ 48 | { 49 | "ComplianceResourceType": configuration_item["resourceType"], 50 | "ComplianceResourceId": configuration_item["resourceId"], 51 | "ComplianceType": evaluation["compliance_type"], 52 | "Annotation": evaluation["annotation"], 53 | "OrderingTimestamp": configuration_item["configurationItemCaptureTime"] 54 | }, 55 | ], 56 | ResultToken=result_token 57 | ) -------------------------------------------------------------------------------- /python/config_enabled.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure Config is enabled 5 | # Description: Checks that Config has been activated and if it logs to a specific bucket OR a send to a specifc SNS topic. 6 | # 7 | # Trigger Type: Periodic 8 | # Scope of Changes: N/A 9 | # Required Parameters: None 10 | # Optional Parameter 1 name: s3BucketName 11 | # Optional Parameter 1 value example: config-bucket-123456789012-ap-southeast-1 12 | # Optional Parameter 2 name: snsTopicARN 13 | # Optional Parameter 2 value example: arn:aws:sns:ap-southeast-1:123456789012:config-topic 14 | 15 | 16 | import boto3 17 | import json 18 | from datetime import datetime 19 | 20 | client = boto3.client('config') 21 | 22 | 23 | def lambda_handler(event, context): 24 | compliance_type = 'COMPLIANT' 25 | 26 | today = datetime.today() 27 | rule_parameters = json.loads(event['ruleParameters']) 28 | 29 | # First check configuration recorder is created 30 | config_recorder_response = client.describe_configuration_recorder_status() 31 | 32 | if 'ConfigurationRecordersStatus' not in config_recorder_response or \ 33 | len(config_recorder_response['ConfigurationRecordersStatus']) < 1: 34 | compliance_type = 'NON_COMPLIANT' 35 | 36 | for config_recorder in config_recorder_response['ConfigurationRecordersStatus']: 37 | if not config_recorder['recording']: 38 | compliance_type = 'NON_COMPLIANT' 39 | 40 | # Check that there are delivery channels and that they're mapping to the appropriate buckets 41 | delivery_channels_response = client.describe_delivery_channels() 42 | print(delivery_channels_response['DeliveryChannels']) 43 | 44 | if 'DeliveryChannels' not in delivery_channels_response or len(delivery_channels_response['DeliveryChannels']) < 1: 45 | compliance_type = 'NON_COMPLIANT' 46 | 47 | if 's3BucketName' in rule_parameters: 48 | for channel in delivery_channels_response['DeliveryChannels']: 49 | if channel['s3BucketName'] != rule_parameters['s3BucketName']: 50 | compliance_type = 'NON_COMPLIANT' 51 | 52 | if 'snsTopicARN' in rule_parameters: 53 | for channel in delivery_channels_response['DeliveryChannels']: 54 | if channel['snsTopicARN'] != rule_parameters['snsTopicARN']: 55 | compliance_type = 'NON_COMPLIANT' 56 | 57 | client.put_evaluations( 58 | Evaluations=[ 59 | { 60 | 'ComplianceResourceType': 'AWS::::Account', 61 | 'ComplianceResourceId': event['accountId'], 62 | 'ComplianceType': compliance_type, 63 | 'Annotation': 'Check if Config was enabled and also routing to the appropriate s3 bucket and sns topic', 64 | 'OrderingTimestamp': datetime(today.year, today.month, today.day, today.hour) 65 | } 66 | ], 67 | ResultToken=event['resultToken'] 68 | ) 69 | -------------------------------------------------------------------------------- /python/config_rules_exist.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure one or several specific Config Rules exist 5 | # Description: Checks that specific config rules exists, including itself if configured. 6 | # 7 | # Trigger Type: Periodic 8 | # Scope of Changes: N/A 9 | # Required Parameter name: ConfigRules 10 | # Required Parameter value example: config-rule-name1,config-rule-name2 (split multiple rule name with a ",") 11 | 12 | 13 | import boto3 14 | import json 15 | 16 | 17 | def evaluate_compliance(rule_parameters): 18 | if 'ConfigRules' in rule_parameters: 19 | rulesToCheck = [] 20 | for rules in rule_parameters["ConfigRules"].split(","): 21 | rulesToCheck.append(rules) 22 | else: 23 | print("No Rules defined in parameter") 24 | #print rulesToCheck 25 | fails = 0 26 | 27 | client = boto3.client('config') 28 | try: 29 | response = client.describe_config_rules(ConfigRuleNames=rulesToCheck) 30 | for i in response["ConfigRules"]: 31 | ruleActive = i["ConfigRuleState"] 32 | print(i) 33 | if ruleActive == "ACTIVE": 34 | pass 35 | else: 36 | fails = fails + 1 37 | 38 | except: 39 | fails = fails + 1 40 | 41 | if fails == 0: 42 | return "COMPLIANT" 43 | else: 44 | return "NON_COMPLIANT" 45 | 46 | 47 | 48 | def lambda_handler(event, context): 49 | account_id = event['accountId'] 50 | invoking_event = json.loads(event["invokingEvent"]) 51 | print (invoking_event) 52 | rule_parameters = json.loads(event["ruleParameters"]) 53 | result_token = "No token found." 54 | if "resultToken" in event: 55 | result_token = event["resultToken"] 56 | 57 | config = boto3.client("config") 58 | config.put_evaluations( 59 | Evaluations=[ 60 | { 61 | 'ComplianceResourceType': 'AWS::::Account', 62 | 'ComplianceResourceId': account_id, 63 | 'ComplianceType': evaluate_compliance(rule_parameters), 64 | 'OrderingTimestamp': invoking_event['notificationCreationTime'] 65 | }, 66 | ], 67 | ResultToken=event['resultToken'] 68 | ) 69 | -------------------------------------------------------------------------------- /python/ec2_desired_instance_type.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure all EC2 Instances are of a Given Type 5 | # Description: Checks that all EC2 instances are of the type specified 6 | # 7 | # Trigger Type: Change Triggered 8 | # Scope of Changes: EC2:Instance 9 | # Required Parameter: desiredInstanceType 10 | # Example Value: t2.small 11 | # 12 | # See https://aws.amazon.com/ec2/instance-types/ for more instance types 13 | 14 | import boto3 15 | import json 16 | 17 | def is_applicable(config_item, event): 18 | status = config_item['configurationItemStatus'] 19 | event_left_scope = event['eventLeftScope'] 20 | test = ((status in ['OK', 'ResourceDiscovered']) and 21 | event_left_scope == False) 22 | return test 23 | 24 | 25 | def evaluate_compliance(config_item, rule_parameters): 26 | if (config_item['resourceType'] != 'AWS::EC2::Instance'): 27 | return 'NOT_APPLICABLE' 28 | 29 | elif (config_item['configuration']['instanceType'] == 30 | rule_parameters['desiredInstanceType']): 31 | return 'COMPLIANT' 32 | else: 33 | return 'NON_COMPLIANT' 34 | 35 | 36 | def lambda_handler(event, context): 37 | invoking_event = json.loads(event['invokingEvent']) 38 | rule_parameters = json.loads(event['ruleParameters']) 39 | 40 | compliance_value = 'NOT_APPLICABLE' 41 | 42 | if is_applicable(invoking_event['configurationItem'], event): 43 | compliance_value = evaluate_compliance( 44 | invoking_event['configurationItem'], rule_parameters) 45 | 46 | config = boto3.client('config') 47 | response = config.put_evaluations( 48 | Evaluations=[ 49 | { 50 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 51 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 52 | 'ComplianceType': compliance_value, 53 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 54 | }, 55 | ], 56 | ResultToken=event['resultToken']) 57 | 58 | 59 | -------------------------------------------------------------------------------- /python/ec2_desired_lifecycle_spot.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Description: Checks that all EC2 instances are launched as Spot Instances for maximum cost savings 5 | # 6 | # Trigger Type: Change Triggered 7 | # Scope of Changes: EC2:Instance 8 | # Required Parameter: desiredLifecycle 9 | # Required Value: spot 10 | # 11 | # See https://aws.amazon.com/ec2/spot/ to learn more about EC2 Spot Instances 12 | 13 | import boto3 14 | import json 15 | 16 | def is_applicable(config_item, event): 17 | status = config_item['configurationItemStatus'] 18 | event_left_scope = event['eventLeftScope'] 19 | test = ((status in ['OK', 'ResourceDiscovered']) and 20 | event_left_scope == False) 21 | return test 22 | 23 | def evaluate_compliance(config_item, rule_parameters): 24 | if (config_item['resourceType'] != 'AWS::EC2::Instance'): 25 | return 'NOT_APPLICABLE' 26 | 27 | elif (config_item['configuration']['instanceLifecycle'] == 28 | rule_parameters['desiredLifecycle']): 29 | return 'COMPLIANT' 30 | else: 31 | return 'NON_COMPLIANT' 32 | 33 | def lambda_handler(event, context): 34 | invoking_event = json.loads(event['invokingEvent']) 35 | rule_parameters = json.loads(event['ruleParameters']) 36 | 37 | compliance_value = 'NOT_APPLICABLE' 38 | 39 | if is_applicable(invoking_event['configurationItem'], event): 40 | compliance_value = evaluate_compliance( 41 | invoking_event['configurationItem'], rule_parameters) 42 | 43 | config = boto3.client('config') 44 | response = config.put_evaluations( 45 | Evaluations=[ 46 | { 47 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 48 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 49 | 'ComplianceType': compliance_value, 50 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 51 | }, 52 | ], 53 | ResultToken=event['resultToken']) 54 | 55 | 56 | -------------------------------------------------------------------------------- /python/ec2_launch_wizard_security_group_prohibited.py: -------------------------------------------------------------------------------- 1 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 2 | # 3 | # Description: Check that security groups prefixed with "launch-wizard" 4 | # are not associated with network interfaces. 5 | # 6 | # Trigger Type: Change Triggered 7 | # Scope of Changes: EC2:NetworkInterface 8 | # Accepted Parameters: None 9 | # Your Lambda function execution role will need to have a policy that provides 10 | # the appropriate permissions. Here is a policy that you can consider. 11 | # You should validate this for your own environment. 12 | # 13 | # { 14 | # "Version": "2012-10-17", 15 | # "Statement": [ 16 | # { 17 | # "Effect": "Allow", 18 | # "Action": [ 19 | # "logs:CreateLogGroup", 20 | # "logs:CreateLogStream", 21 | # "logs:PutLogEvents" 22 | # ], 23 | # "Resource": "arn:aws:logs:*:*:*" 24 | # }, 25 | # { 26 | # "Effect": "Allow", 27 | # "Action": [ 28 | # "config:PutEvaluations" 29 | # ], 30 | # "Resource": "*" 31 | # } 32 | # ] 33 | # } 34 | 35 | 36 | import boto3 37 | import json 38 | 39 | 40 | APPLICABLE_RESOURCES = ["AWS::EC2::NetworkInterface"] 41 | 42 | 43 | def evaluate_compliance(configuration_item): 44 | 45 | # Start as compliant 46 | compliance_type = 'COMPLIANT' 47 | annotation = "Resource is compliant." 48 | 49 | # Check resource for applicability 50 | if configuration_item["resourceType"] not in APPLICABLE_RESOURCES: 51 | compliance_type = 'NOT_APPLICABLE' 52 | annotation = "The rule doesn't apply to resources of type " \ 53 | + configuration_item["resourceType"] + "." 54 | 55 | # Check if the resource has been deleted 56 | elif configuration_item["configurationItemStatus"] == "ResourceDeleted": 57 | compliance_type = 'NOT_APPLICABLE' 58 | annotation = "The resource " + configuration_item["resourceId"] + " has been deleted." 59 | # Iterate over security groups 60 | else: 61 | for sg in configuration_item['configuration']['groups']: 62 | if "launch-wizard" in sg['groupName']: 63 | compliance_type = 'NON_COMPLIANT' 64 | annotation = 'A launch-wizard security group is attached to ' + configuration_item['configuration']['privateIpAddress'] 65 | break 66 | 67 | return { 68 | "compliance_type": compliance_type, 69 | "annotation": annotation 70 | } 71 | 72 | 73 | def lambda_handler(event, context): 74 | 75 | invoking_event = json.loads(event['invokingEvent']) 76 | configuration_item = invoking_event["configurationItem"] 77 | evaluation = evaluate_compliance(configuration_item) 78 | config = boto3.client('config') 79 | 80 | print('Compliance evaluation for %s: %s' % (configuration_item['resourceId'], evaluation["compliance_type"])) 81 | print('Annotation: %s' % (evaluation["annotation"])) 82 | 83 | response = config.put_evaluations( 84 | Evaluations=[ 85 | { 86 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 87 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 88 | 'ComplianceType': evaluation["compliance_type"], 89 | "Annotation": evaluation["annotation"], 90 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 91 | }, 92 | ], 93 | ResultToken=event['resultToken']) 94 | -------------------------------------------------------------------------------- /python/ec2_require_security_group_by_tag.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure all EC2 Instances that have a certain tag format also have a specific security group 5 | # Description: Checks that all EC2 instances that have a certain tag format also have a specific security group 6 | # 7 | # Trigger Type: Change Triggered 8 | # Scope of Changes: EC2:Instance 9 | # Required Parameters: namePattern 10 | # Example Value: ^prod(us|eu|br)[lw]box[0-9]{3}$ (which will match 'produslbox001') 11 | # Required Parameters: securityGroupName 12 | # Example Value: MySecGroup 13 | # 14 | 15 | import boto3 16 | import json 17 | import re 18 | 19 | def is_applicable(config_item, event): 20 | status = config_item['configurationItemStatus'] 21 | event_left_scope = event['eventLeftScope'] 22 | return ((status in ['OK', 'ResourceDiscovered']) and 23 | (event_left_scope == False) and 24 | (config_item['resourceType'] == 'AWS::EC2::Instance')) 25 | 26 | def evaluate_compliance(config_item, rule_parameters): 27 | # Initialize evaluation to 'not applicable', i.e. rule doesn't apply 28 | evaluation = 'NOT_APPLICABLE' 29 | configuration = config_item['configuration'] 30 | tags = configuration['tags'] 31 | reg = re.compile(rule_parameters['namePattern']) 32 | # If the config item is for an EC2 instance, then iterate through the tags for that instance 33 | for tag in tags: 34 | # Check if this is the 'Name' tag, and that it matches the provided regex value 35 | if (tag['key'] == 'Name') and (reg.match(tag['value']) != None): 36 | # if so, initialize to 'non-compliant' 37 | evaluation = 'NON_COMPLIANT' 38 | secGroups = configuration['securityGroups'] 39 | # iterate through the security groups and see if the provided secGroup name is in the list. 40 | # if so, set compliance to 'compliant' 41 | for secGroup in secGroups: 42 | if (secGroup['groupName'] == rule_parameters['securityGroupName']): 43 | evaluation = 'COMPLIANT' 44 | return evaluation 45 | 46 | def lambda_handler(event, context): 47 | invoking_event = json.loads(event['invokingEvent']) 48 | rule_parameters = json.loads(event['ruleParameters']) 49 | 50 | compliance_value = 'NOT_APPLICABLE' 51 | 52 | if is_applicable(invoking_event['configurationItem'], event): 53 | compliance_value = evaluate_compliance( 54 | invoking_event['configurationItem'], rule_parameters) 55 | 56 | config = boto3.client('config') 57 | response = config.put_evaluations( 58 | Evaluations=[ 59 | { 60 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 61 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 62 | 'ComplianceType': compliance_value, 63 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 64 | }, 65 | ], 66 | ResultToken=event['resultToken']) 67 | 68 | 69 | -------------------------------------------------------------------------------- /python/ec2_security_group_port_range_all_prohibited.py: -------------------------------------------------------------------------------- 1 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 2 | # 3 | # Description: Check that security groups do not have an inbound rule 4 | # with port range of "All". 5 | # 6 | # Trigger Type: Change Triggered 7 | # Scope of Changes: EC2:SecurityGroup 8 | # Accepted Parameters: None 9 | # Your Lambda function execution role will need to have a policy that provides 10 | # the appropriate permissions. Here is a policy that you can consider. 11 | # You should validate this for your own environment. 12 | # 13 | # { 14 | # "Version": "2012-10-17", 15 | # "Statement": [ 16 | # { 17 | # "Effect": "Allow", 18 | # "Action": [ 19 | # "logs:CreateLogGroup", 20 | # "logs:CreateLogStream", 21 | # "logs:PutLogEvents" 22 | # ], 23 | # "Resource": "arn:aws:logs:*:*:*" 24 | # }, 25 | # { 26 | # "Effect": "Allow", 27 | # "Action": [ 28 | # "config:PutEvaluations" 29 | # ], 30 | # "Resource": "*" 31 | # } 32 | # ] 33 | # } 34 | 35 | 36 | import boto3 37 | import json 38 | 39 | 40 | APPLICABLE_RESOURCES = ["AWS::EC2::SecurityGroup"] 41 | 42 | 43 | def evaluate_compliance(configuration_item): 44 | 45 | # Start as compliant 46 | compliance_type = 'COMPLIANT' 47 | annotation = "Security group is compliant." 48 | 49 | # Check if resource was deleted 50 | if configuration_item['configurationItemStatus'] == "ResourceDeleted": 51 | compliance_type = 'NOT_APPLICABLE' 52 | annotation = "This resource was deleted." 53 | 54 | # Check resource for applicability 55 | elif configuration_item["resourceType"] not in APPLICABLE_RESOURCES: 56 | compliance_type = 'NOT_APPLICABLE' 57 | annotation = "The rule doesn't apply to resources of type " \ 58 | + configuration_item["resourceType"] + "." 59 | 60 | else: 61 | # Iterate over IP permissions 62 | for i in configuration_item['configuration']['ipPermissions']: 63 | # inbound rules with no "fromPort" have a value of "All" 64 | if "fromPort" not in i: 65 | compliance_type = 'NON_COMPLIANT' 66 | annotation = 'Security group is not compliant.' 67 | break 68 | 69 | return { 70 | "compliance_type": compliance_type, 71 | "annotation": annotation 72 | } 73 | 74 | 75 | def lambda_handler(event, context): 76 | 77 | invoking_event = json.loads(event['invokingEvent']) 78 | configuration_item = invoking_event["configurationItem"] 79 | evaluation = evaluate_compliance(configuration_item) 80 | config = boto3.client('config') 81 | 82 | print('Compliance evaluation for %s: %s' % (configuration_item['resourceId'], evaluation["compliance_type"])) 83 | print('Annotation: %s' % (evaluation["annotation"])) 84 | 85 | response = config.put_evaluations( 86 | Evaluations=[ 87 | { 88 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 89 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 90 | 'ComplianceType': evaluation["compliance_type"], 91 | "Annotation": evaluation["annotation"], 92 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 93 | }, 94 | ], 95 | ResultToken=event['resultToken']) 96 | -------------------------------------------------------------------------------- /python/ec2_security_group_protocol_all_prohibited.py: -------------------------------------------------------------------------------- 1 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 2 | # 3 | # Description: Check that security groups do not have an inbound rule 4 | # with protocol of "All". 5 | # 6 | # Trigger Type: Change Triggered 7 | # Scope of Changes: EC2:SecurityGroup 8 | # Accepted Parameters: None 9 | # Your Lambda function execution role will need to have a policy that provides 10 | # the appropriate permissions. Here is a policy that you can consider. 11 | # You should validate this for your own environment. 12 | # 13 | # { 14 | # "Version": "2012-10-17", 15 | # "Statement": [ 16 | # { 17 | # "Effect": "Allow", 18 | # "Action": [ 19 | # "logs:CreateLogGroup", 20 | # "logs:CreateLogStream", 21 | # "logs:PutLogEvents" 22 | # ], 23 | # "Resource": "arn:aws:logs:*:*:*" 24 | # }, 25 | # { 26 | # "Effect": "Allow", 27 | # "Action": [ 28 | # "config:PutEvaluations" 29 | # ], 30 | # "Resource": "*" 31 | # } 32 | # ] 33 | # } 34 | 35 | 36 | import boto3 37 | import json 38 | 39 | 40 | APPLICABLE_RESOURCES = ["AWS::EC2::SecurityGroup"] 41 | 42 | 43 | def evaluate_compliance(configuration_item): 44 | 45 | # Start as compliant 46 | compliance_type = 'COMPLIANT' 47 | annotation = "Security group is compliant." 48 | 49 | # Check if resource was deleted 50 | if configuration_item['configurationItemStatus'] == "ResourceDeleted": 51 | compliance_type = 'NOT_APPLICABLE' 52 | annotation = "This resource was deleted." 53 | 54 | # Check resource for applicability 55 | elif configuration_item["resourceType"] not in APPLICABLE_RESOURCES: 56 | compliance_type = 'NOT_APPLICABLE' 57 | annotation = "The rule doesn't apply to resources of type " \ 58 | + configuration_item["resourceType"] + "." 59 | 60 | else: 61 | # Iterate over IP permissions 62 | for ip in configuration_item['configuration']['ipPermissions']: 63 | if ip['ipProtocol'] == "-1": 64 | compliance_type = 'NON_COMPLIANT' 65 | annotation = 'Security group is not compliant.' 66 | break 67 | 68 | return { 69 | "compliance_type": compliance_type, 70 | "annotation": annotation 71 | } 72 | 73 | 74 | def lambda_handler(event, context): 75 | 76 | invoking_event = json.loads(event['invokingEvent']) 77 | configuration_item = invoking_event["configurationItem"] 78 | evaluation = evaluate_compliance(configuration_item) 79 | config = boto3.client('config') 80 | 81 | print('Compliance evaluation for %s: %s' % (configuration_item['resourceId'], evaluation["compliance_type"])) 82 | print('Annotation: %s' % (evaluation["annotation"])) 83 | 84 | response = config.put_evaluations( 85 | Evaluations=[ 86 | { 87 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 88 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 89 | 'ComplianceType': evaluation["compliance_type"], 90 | "Annotation": evaluation["annotation"], 91 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 92 | }, 93 | ], 94 | ResultToken=event['resultToken']) 95 | -------------------------------------------------------------------------------- /python/iam_policy_exists.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure one or several specific IAM policies exist 5 | # Description: Checks that defined IAM policies have been defined in AWS IAM. 6 | # 7 | # Trigger Type: Periodic 8 | # Scope of Changes: N/A 9 | # Required Parameter name: PoliciesToCheck 10 | # Required Parameter value example: policy-name1,policy-name2 (split multiple rule name with a ",") 11 | 12 | import boto3 13 | import json 14 | 15 | 16 | def evaluate_compliance(rule_parameters, account_id): 17 | fails = 0 18 | client = boto3.client("iam") 19 | 20 | if 'PoliciesToCheck' in rule_parameters: 21 | for policy in rule_parameters["PoliciesToCheck"].split(","): 22 | policyARN = "arn:aws:iam::%s:policy/%s" %(account_id, policy) 23 | print(policyARN) 24 | try: 25 | response = client.get_policy(PolicyArn=policyARN) 26 | except: 27 | fails = fails + 1 28 | else: 29 | print("No IAM policy defined in parameter") 30 | fails = fails + 1 31 | if fails == 0: 32 | return "COMPLIANT" 33 | else: 34 | return "NON_COMPLIANT" 35 | 36 | 37 | def lambda_handler(event, context): 38 | account_id = event['accountId'] 39 | invoking_event = json.loads(event["invokingEvent"]) 40 | print(invoking_event) 41 | rule_parameters = json.loads(event["ruleParameters"]) 42 | result_token = "No token found." 43 | if "resultToken" in event: 44 | result_token = event["resultToken"] 45 | 46 | config = boto3.client("config") 47 | config.put_evaluations( 48 | Evaluations=[ 49 | { 50 | 'ComplianceResourceType': 'AWS::::Account', 51 | 'ComplianceResourceId': account_id, 52 | 'ComplianceType': evaluate_compliance(rule_parameters, account_id), 53 | 'OrderingTimestamp': invoking_event['notificationCreationTime'] 54 | }, 55 | ], 56 | ResultToken=event['resultToken'] 57 | ) -------------------------------------------------------------------------------- /python/iam_unused_keys.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure that no users have access keys that have never been used. 5 | # Description: Checks that all users have only active access keys. 6 | # 7 | # Trigger Type: Change Triggered 8 | # Scope of Changes: IAM:User 9 | 10 | 11 | import json 12 | import logging 13 | 14 | import boto3 15 | 16 | APPLICABLE_RESOURCES = ["AWS::IAM::User"] 17 | 18 | 19 | def evaluate_compliance(configuration_item): 20 | compliant = "COMPLIANT" 21 | annotations = [] 22 | 23 | if configuration_item["resourceType"] not in APPLICABLE_RESOURCES: 24 | compliant = "NOT_APPLICABLE" 25 | annotations.append( 26 | "Cannot use this rule for resource of type {}.".format( 27 | configuration_item["resourceType"])) 28 | 29 | return compliant, " ".join(annotations) 30 | 31 | user_name = configuration_item["configuration"]["userName"] 32 | 33 | iam = boto3.client("iam") 34 | access_keys = iam.list_access_keys(UserName=user_name)["AccessKeyMetadata"] 35 | 36 | if access_keys: 37 | for access_key in access_keys: 38 | access_key_id = access_key["AccessKeyId"] 39 | access_key_status = access_key["Status"] 40 | 41 | last_used_date = iam.get_access_key_last_used( 42 | AccessKeyId=access_key_id 43 | ).get("AccessKeyLastUsed").get("LastUsedDate") 44 | 45 | if access_key_status == "Active" and last_used_date is None: 46 | compliant = "NON_COMPLIANT" 47 | annotations.append( 48 | "Access key with ID {} was never used.".format( 49 | access_key_id)) 50 | else: 51 | annotations.append( 52 | "Access key with ID {} key was last used {}.".format( 53 | access_key_id, last_used_date)) 54 | else: 55 | annotations.append("User do not have any active access key.") 56 | 57 | return compliant, " ".join(annotations) 58 | 59 | 60 | def lambda_handler(event, context): 61 | logging.debug("Input event: %s", event) 62 | 63 | invoking_event = json.loads(event["invokingEvent"]) 64 | configuration_item = invoking_event["configurationItem"] 65 | 66 | result_token = "No token found." 67 | if "resultToken" in event: 68 | result_token = event["resultToken"] 69 | 70 | try: 71 | compliant, annotation = evaluate_compliance(configuration_item) 72 | 73 | config = boto3.client("config") 74 | config.put_evaluations( 75 | Evaluations=[ 76 | { 77 | "ComplianceResourceType": 78 | configuration_item["resourceType"], 79 | "ComplianceResourceId": 80 | configuration_item["resourceId"], 81 | "ComplianceType": compliant, 82 | "Annotation": annotation, 83 | "OrderingTimestamp": 84 | configuration_item["configurationItemCaptureTime"] 85 | }, 86 | ], 87 | ResultToken=result_token, 88 | ) 89 | except Exception as exception: 90 | logging.error("Error computing compliance status: %s", exception) 91 | -------------------------------------------------------------------------------- /python/rds_desired_instance_type.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Ensure all RDS DB Instances are of a Given Type 5 | # Description: Checks that all RDS DB instances are of the type specified 6 | # 7 | # Trigger Type: Change Triggered 8 | # Scope of Changes: RDS::DBInstance 9 | # Required Parameter: DBInstance 10 | # Example Value: db.t2.small 11 | # 12 | # See https://aws.amazon.com/ec2/instance-types/ for more instance types 13 | 14 | import boto3 15 | import json 16 | 17 | def is_applicable(config_item, event): 18 | status = config_item['configurationItemStatus'] 19 | event_left_scope = event['eventLeftScope'] 20 | test = ((status in ['OK', 'ResourceDiscovered']) and 21 | event_left_scope == False) 22 | return test 23 | 24 | 25 | def evaluate_compliance(config_item, rule_parameters): 26 | if (config_item['resourceType'] != 'AWS::RDS::DBInstance'): 27 | return 'NOT_APPLICABLE' 28 | 29 | elif (config_item['configuration']['dBInstanceClass'] in 30 | rule_parameters['DBInstance']): 31 | return 'COMPLIANT' 32 | else: 33 | return 'NON_COMPLIANT' 34 | 35 | 36 | def lambda_handler(event, context): 37 | invoking_event = json.loads(event['invokingEvent']) 38 | rule_parameters = json.loads(event['ruleParameters']) 39 | 40 | compliance_value = 'NOT_APPLICABLE' 41 | 42 | if is_applicable(invoking_event['configurationItem'], event): 43 | compliance_value = evaluate_compliance( 44 | invoking_event['configurationItem'], rule_parameters) 45 | 46 | config = boto3.client('config') 47 | response = config.put_evaluations( 48 | Evaluations=[ 49 | { 50 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 51 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 52 | 'ComplianceType': compliance_value, 53 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 54 | }, 55 | ], 56 | ResultToken=event['resultToken']) 57 | -------------------------------------------------------------------------------- /python/s3_bucket_policy_prohibited.py: -------------------------------------------------------------------------------- 1 | # 2 | # This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode) 3 | # 4 | # Description: Check if any s3 bucket has bucket policy and if it does mark it non-compliant 5 | # 6 | # Trigger Type: Change Triggered 7 | # Scope of Changes: S3:Instance 8 | # Accepted Parameters: None 9 | # Your Lambda function execution role will need to have a policy that provides the appropriate 10 | # permissions. Here is a policy that you can consider. You should validate this for your own 11 | # environment 12 | #{ 13 | # "Version": "2012-10-17", 14 | # "Statement": [ 15 | # { 16 | # "Effect": "Allow", 17 | # "Action": [ 18 | # "logs:CreateLogGroup", 19 | # "logs:CreateLogStream", 20 | # "logs:PutLogEvents" 21 | # ], 22 | # "Resource": "arn:aws:logs:*:*:*" 23 | # }, 24 | # { 25 | # "Effect": "Allow", 26 | # "Action": [ 27 | # "config:PutEvaluations" 28 | # ], 29 | # "Resource": "*" 30 | # } 31 | # ] 32 | #} 33 | # 34 | 35 | import boto3 36 | import json 37 | import logging 38 | 39 | log = logging.getLogger() 40 | log.setLevel(logging.DEBUG) 41 | APPLICABLE_RESOURCES = ["AWS::S3::Bucket"] 42 | 43 | 44 | def evaluate_compliance(configuration_item): 45 | if configuration_item["resourceType"] not in APPLICABLE_RESOURCES: 46 | return { 47 | "compliance_type": "NOT_APPLICABLE", 48 | "annotation": "The rule doesn't apply to resources of type " + 49 | configuration_item["resourceType"] + "." 50 | } 51 | 52 | if configuration_item['configurationItemStatus'] == "ResourceDeleted": 53 | return { 54 | "compliance_type": "NOT_APPLICABLE", 55 | "annotation": "The configurationItem was deleted " + 56 | "and therefore cannot be validated" 57 | } 58 | 59 | bucket_policy = configuration_item["supplementaryConfiguration"].get("BucketPolicy") 60 | if bucket_policy['policyText'] is None: 61 | return { 62 | "compliance_type": "COMPLIANT", 63 | "annotation": 'Bucket Policy does not exists' 64 | } 65 | 66 | else: 67 | return { 68 | "compliance_type": "NON_COMPLIANT", 69 | "annotation": 'Bucket Policy exists' 70 | } 71 | 72 | 73 | def lambda_handler(event, context): 74 | log.debug('Event %s', event) 75 | invoking_event = json.loads(event['invokingEvent']) 76 | configuration_item = invoking_event["configurationItem"] 77 | evaluation = evaluate_compliance(configuration_item) 78 | config = boto3.client('config') 79 | 80 | config.put_evaluations( 81 | Evaluations=[ 82 | { 83 | 'ComplianceResourceType': invoking_event['configurationItem']['resourceType'], 84 | 'ComplianceResourceId': invoking_event['configurationItem']['resourceId'], 85 | 'ComplianceType': evaluation["compliance_type"], 86 | "Annotation": evaluation["annotation"], 87 | 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] 88 | }, 89 | ], 90 | ResultToken=event['resultToken']) 91 | --------------------------------------------------------------------------------